Some of these may be false-positives. You should review closely before taking action.
| # of affected certificates | CA | CCADB Owner | Severity | Description |
|---|---|---|---|---|
| 4514 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 4514 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Extension should be critical for KeyUsage |
| 4514 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 4418 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Extension should be critical for KeyUsage |
| 4418 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 4418 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 4408 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Extension should be critical for KeyUsage |
| 4408 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 4408 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 4354 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 4354 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 4354 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 | DigiCert | W | Extension should be critical for KeyUsage |
| 1345 | C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation Authority - G2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 1152 | C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension |
| 1152 | C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 581 | C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 | QuoVadis | W | TLS Server auth certificates should not contain IPSec User usage |
| 581 | C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 | QuoVadis | W | TLS Server auth certificates should not contain IPSec Tunnel usage |
| 581 | C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 | QuoVadis | W | TLS Server auth certificates should not contain IPSec End System usage |
| 565 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=FujiSSL Public Validation Authority - G3 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 478 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=KDDI Web Communications Certification Authority 3 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 305 | C=JP, O=National Institute of Informatics, CN=NII Open Domain CA - G5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 273 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 267 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 193 | C=PL, O=home.pl S.A., CN=Certyfikat SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 106 | CN=ACCVCA-120, OU=PKIACCV, O=ACCV, C=ES | Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) | W | Name has unknown attribute 2.5.4.97 |
| 32 | C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization Validation Authority - G2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 30 | C=FR, O=DHIMYOTIS, OU=0002 48146308100036, 2.5.4.97=NTRFR-48146308100036, CN=Certigna Services CA | Dhimyotis / Certigna | W | Name has unknown attribute 2.5.4.97 |
| 28 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Organization Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 23 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust DV CA5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 20 | C=CN, O=China Financial Certification Authority, CN=CFCA OV OCA | China Financial Certification Authority (CFCA) | W | Extension should be critical for KeyUsage |
| 17 | C=FR, O=Certinomis, 2.5.4.97=NTRFR-433998903, CN=Certinomis - Web CA | Certinomis / Docapost | W | Name has unknown attribute 2.5.4.97 |
| 14 | C=US, ST=Texas, O=ATT Services Inc, OU=ATT Wi-Fi Services, CN=ATT Wi-Fi Services Managed Device Certificate Authority G3 | W | Certificate does not include authorityInformationAccess. BRs require OCSP stapling for this certificate. | |
| 14 | C=ES, O=CONSORCI ADMINISTRACIO OBERTA DE CATALUNYA, OU=Serveis Públics de Certificació, CN=EC-SectorPublic | Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) | W | Name has unknown attribute 2.5.4.97 |
| 12 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV 2.0 CA | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 11 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust OV CA5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 11 | C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Easy CA | Certinomis / Docapost | W | Name has unknown attribute 2.5.4.97 |
| 10 | C=FR, O=DHIMYOTIS, OU=0002 48146308100036, 2.5.4.97=NTRFR-48146308100036, CN=Certigna Wild CA | Dhimyotis / Certigna | W | Name has unknown attribute 2.5.4.97 |
| 10 | C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | commonNames in BR certificate contains U-labels |
| 10 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.7.2 |
| 10 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=EINS/PKI Public Certification Authority V4 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 10 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.15.2 |
| 10 | C=ES, O=FNMT-RCM, OU=AC Componentes Informáticos | Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) | W | Name has unknown attribute 2.5.4.97 |
| 10 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.11.2 |
| 6 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Class I CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 6 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA-2 RADIUS CA | DigiCert | W | TLS Server auth certificates should not contain 1.3.6.1.5.5.7.3.14 usage |
| 5 | C=PL, O=home.pl S.A., CN=Certyfikat SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension |
| 5 | C=PL, O=home.pl S.A., CN=Certyfikat SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 4 | C=ES, O=IZENPE S.A., OU=BZ Ziurtagiri publikoa - Certificado publico EV, CN=CA de Certificados SSL EV | Izenpe S.A. | W | Name has unknown attribute 2.5.4.97 |
| 4 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.48.1 |
| 4 | C=ES, O=FNMT-RCM, OU=CERES, serialNumber=Q2826004J, CN=AC Administración Pública | Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) | W | Name has unknown attribute 2.5.4.97 |
| 4 | C=ES, O=IZENPE S.A., OU=BZ Ziurtagiri publikoa - Certificado publico EV, CN=CA de Certificados SSL EV | Izenpe S.A. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 4 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | DigiCert | W | Extension should be critical for KeyUsage |
| 4 | C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Organisatie Services CA - G3 | Government of The Netherlands, PKIoverheid (Logius) | W | Name has unknown attribute 2.5.4.97 |
| 4 | C=CN, O=WoTrus CA Limited, CN=WoTrus OV SSL CA | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Duplicate SAN entry |
| 3 | C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA | T-Systems International GmbH (Deutsche Telekom) | W | TLS Server auth certificates should not contain Microsoft Smartcardlogin usage |
| 3 | C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA | DigiCert | W | Unknown Extension: 1.3.6.1.4.1.11129.2.1.22 |
| 3 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Duplicate SAN entry |
| 3 | C=PL, O=Dreamcommerce S.A., OU=Dreamcommerce S.A., CN=Shoper® SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension |
| 3 | C=PL, O=Dreamcommerce S.A., OU=Dreamcommerce S.A., CN=Shoper® SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 3 | C=CN, O=China Financial Certification Authority, CN=CFCA EV OCA | China Financial Certification Authority (CFCA) | W | Extension should be critical for KeyUsage |
| 3 | C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Organisatie Persoon CA - G3 | Government of The Netherlands, PKIoverheid (Logius) | W | Name has unknown attribute 2.5.4.97 |
| 3 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Duplicate SAN entry |
| 3 | C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA | T-Systems International GmbH (Deutsche Telekom) | W | Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension |
| 3 | C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA | T-Systems International GmbH (Deutsche Telekom) | W | TLS Server auth certificates should not contain 1.3.6.1.5.2.3.5 usage |
| 3 | C=JP, O=CrossTrust, CN=CrossTrust DV CA4 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 3 | C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 3 | C=JP, O=Fuji Xerox, CN=Fuji Xerox Xnet CA - S2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 2 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.11.1 |
| 2 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.15.1 |
| 2 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.7.1 |
| 2 | C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 | GlobalSign | E | Control character found in String in CertificatePolicies |
| 2 | C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | DigiCert | E | Wildcard to immediate left of public suffix in SAN |
| 2 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Duplicate SAN entry |
| 2 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | commonNames in BR certificate contains U-labels |
| 2 | C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 | GlobalSign | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 2 | C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 | GlobalSign | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 2 | C=PL, O=Unizeto Technologies S.A., OU=SpaceSSL Certification Authority, CN=SpaceSSL CA | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 2 | C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 | GlobalSign | E | Control character found in String in CPSuri |
| 2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert ECC Extended Validation Server CA | DigiCert | W | Unknown Extension: 2.23.140.1.31 |
| 2 | C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden Burger CA - G3 | Government of The Netherlands, PKIoverheid (Logius) | W | Name has unknown attribute 2.5.4.97 |
| 2 | C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA | T-Systems International GmbH (Deutsche Telekom) | W | Name has multiple commonName attributes |
| 2 | C=CN, O="Global Digital Cybersecurity Authority Co., Ltd.", CN=GDCA TrustAUTH R4 DV SSL CA G2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Duplicate SAN entry |
| 2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | DigiCert | W | Unknown Extension: 2.23.140.1.31 |
| 2 | C=CN, O=China Financial Certification Authority, CN=CFCA OV OCA | China Financial Certification Authority (CFCA) | W | Duplicate SAN entry |
| 1 | C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K | Entrust | W | Extension should be critical for KeyUsage |
| 1 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Duplicate SAN entry |
| 1 | C=ES, O=FNMT-RCM, OU=AC Componentes Informáticos | Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) | W | Duplicate SAN entry |
| 1 | C=DE, O=T-Systems International GmbH, OU=T-Systems Trust Center, CN=TeleSec Business CA 1 | T-Systems International GmbH (Deutsche Telekom) | W | Duplicate SAN entry |
| 1 | C=US, ST=CA, L=San Francisco, O="CloudFlare, Inc.", CN=CloudFlare Inc ECC CA-2 | DigiCert | E | Wildcard to immediate left of public suffix in SAN |
| 1 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 1 | C=PL, O=home.pl S.A., CN=Certyfikat SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | commonNames in BR certificate contains U-labels |
| 1 | C=TW, O=行政院, OU=政府憑證管理中心 | Government of Taiwan, Government Root Certification Authority (GRCA) | W | Name has multiple localityName attributes |
| 1 | C=PL, O=Dreamcommerce S.A., OU=Dreamcommerce S.A., CN=Shoper® SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | commonNames in BR certificate contains U-labels |
| 1 | C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G1 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 1 | C=CN, O=WoSign CA Limited, CN=WoSign OV SSL CA | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 1 | C=DE, ST=Bayern, L=Muenchen, O=Max-Planck-Gesellschaft, CN=MPG CA - G02 | T-Systems International GmbH (Deutsche Telekom) | W | Name has multiple commonName attributes |
| 1 | C=CN, O=WoSign CA Limited, CN=WoSign DV SSL CA | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 1 | C=FR, O=Certinomis, 2.5.4.97=NTRFR-433998903, CN=Certinomis - Safe CA | Certinomis / Docapost | W | Name has unknown attribute 2.5.4.97 |
| 1 | CN=ACCVCA-120, OU=PKIACCV, O=ACCV, C=ES | Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) | E | BR certificates must not contain directoryName type alternative name |
| 1 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension |
| 1 | C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications Certification Authority 2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 1 | C=ES, O=Firmaprofesional S.A., OU=Security Services, serialNumber=A62634068, CN=AC Firmaprofesional - INFRAESTRUCTURA | Autoridad de Certificacion Firmaprofesional | W | Name has unknown attribute 2.5.4.97 |
| 1 | C=DE, ST=Thueringen, L=Jena, O=Universitaet Jena, CN=Universitaet Jena CA - G01, emailAddress=pki@uni-jena.de | T-Systems International GmbH (Deutsche Telekom) | W | Extension should be critical for KeyUsage |
| 1 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Secure Site Pro Extended Validation CA | DigiCert | E | EV certificates must include localityName in subject |
| 1 | C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K | Entrust | W | Duplicate SAN entry |
| 1 | C=PT, O=MULTICERT - Serviços de Certificação Electrónica S.A., OU=Certification Authority, CN=MULTICERT SSL Certification Authority 001 | AC Camerfirma, S.A. / MULTICERT | W | BR certificates should include an HTTP URL of the issuing CA's certificate |