CABlint recent error summary since 2021-05-04

Some of these may be false-positives. You should review closely before taking action.

# of affected certificates CA CCADB Owner Severity Description
61427 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
61427 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
61403 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 02 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
61403 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 02 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
40962 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
40962 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
40565 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 06 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
40565 C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 06 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
32096 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
32096 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
31155 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
31155 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
20741 C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 GoDaddy W BR certificates should be 397 days in validity or less
11785 C=US, O="Cloudflare, Inc.", CN=Cloudflare Inc ECC CA-3 DigiCert W Unknown Extension: 1.3.6.1.4.1.11129.2.1.22
5792 C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
4792 C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 DV TLS CA 2020 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
2461 C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
2290 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G3 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
1730 C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 GoDaddy W BR certificates should be 397 days in validity or less
369 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=FujiSSL Public Validation Authority - G3 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
210 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Extended Validation CA - SHA256 - G3 GlobalSign nv-sa W EV certificates should be 397 days in validity or less
185 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
125 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
98 C=US, O=Amazon, OU=Server CA 1B, CN=Amazon Amazon Trust Services W BR certificates should be 397 days in validity or less
92 C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 GoDaddy W EV certificates should be 397 days in validity or less
50 C=BR, O=Rede Nacional de Ensino e Pesquisa - RNP, CN=RNP ICPEdu OV SSL CA 2019 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
30 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust DV CA5 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
29 C=CN, O=China Financial Certification Authority, CN=CFCA OV OCA China Financial Certification Authority (CFCA) W Extension should be critical for KeyUsage
25 C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA DigiCert W BR certificates should be 397 days in validity or less
23 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA Deutsche Telekom Security GmbH W BR certificates should be 397 days in validity or less
20 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV 2.0 CA SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
20 C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 GoDaddy W EV certificates should be 397 days in validity or less
20 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA Deutsche Telekom Security GmbH W Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension
20 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA Deutsche Telekom Security GmbH W TLS Server auth certificates should not contain Signing KDC Response usage
20 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA Deutsche Telekom Security GmbH W TLS Server auth certificates should not contain Microsoft Smartcard Login usage
14 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA DigiCert W Unknown Extension: 1.3.6.1.4.1.44363.44
12 C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
11 CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US DigiCert W Unknown Extension: 1.2.840.113635.100.6.27.15.2
11 CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US DigiCert W Unknown Extension: 1.2.840.113635.100.6.27.11.2
11 CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US DigiCert W Unknown Extension: 1.2.840.113635.100.6.27.7.2
11 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=EINS/PKI Public Certification Authority V4 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
10 C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
10 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 DigiCert W Extension should be critical for KeyUsage
9 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G3 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
9 C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3 DigiCert E BR certificates must be 825 days in validity or less
8 C=IT, ST=Bergamo, L=Ponte San Pietro, O=Actalis S.p.A., CN=Actalis Domain Validation Server CA G3 Actalis W BR certificates should be 397 days in validity or less
8 C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 DigiCert W Extension should be critical for KeyUsage
8 C=BR, O=VALID CERTIFICADORA DIGITAL, CN=Valid Certificadora Digital AlphaSSL CA 2018 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
7 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust OV CA5 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
6 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 01 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
6 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 01 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
5 C=US, O=DigiCert Inc, CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1 DigiCert W BR certificates should be 397 days in validity or less
5 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 06 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
5 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 06 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
5 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 02 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
5 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 02 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
5 C=US, O=DigiCert Inc, CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 DigiCert W BR certificates should be 397 days in validity or less
5 C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA DigiCert E BR certificates must be 825 days in validity or less
4 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 QuoVadis W TLS Server auth certificates should not contain IPSec End System usage
4 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 QuoVadis W TLS Server auth certificates should not contain IPSec Tunnel usage
4 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA DigiCert W BR certificates should be 397 days in validity or less
4 CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US DigiCert W Unknown Extension: 1.2.840.113635.100.6.48.1
4 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 QuoVadis W TLS Server auth certificates should not contain IPSec User usage
3 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA DigiCert W EV certificates should be 397 days in validity or less
3 C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 EV QWAC CA 2020 GlobalSign nv-sa W EV certificates should be 397 days in validity or less
3 C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 Deutsche Telekom Security GmbH W TLS Server auth certificates should not contain Microsoft Smartcard Login usage
3 C=CN, O=China Financial Certification Authority, CN=CFCA EV OCA China Financial Certification Authority (CFCA) W Extension should be critical for KeyUsage
3 C=US, ST=Texas, L=Houston, O=SSL Corporation, CN=SSL.com RSA SSL subCA SSL.com W BR certificates should be 397 days in validity or less
3 C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 Deutsche Telekom Security GmbH W TLS Server auth certificates should not contain Signing KDC Response usage
3 C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 Deutsche Telekom Security GmbH W Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension
3 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018 DigiCert W BR certificates should be 397 days in validity or less
2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte RSA CA 2018 DigiCert W BR certificates should be 397 days in validity or less
2 C=BR, O=VALID CERTIFICADORA DIGITAL, CN=Valid Certificadora Digital SSL EV CA 2018 GlobalSign nv-sa W EV certificates should be 397 days in validity or less
2 C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1 DigiCert W Extension should be critical for KeyUsage
2 C=BR, O=VALID CERTIFICADORA DIGITAL, CN=Valid Certificadora Digital SSL DV CA 2018 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
2 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 05 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
2 C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 05 DigiCert / Microsoft Corporation W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL CA G3 QuoVadis W TLS Server auth certificates should not contain IPSec End System usage
1 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL CA G3 QuoVadis W TLS Server auth certificates should not contain IPSec User usage
1 C=DE, ST=Sachsen, L=Dresden, O=Technische Universitaet Dresden, CN=TU Dresden CA Deutsche Telekom Security GmbH W Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension
1 C=DE, ST=Sachsen, L=Dresden, O=Technische Universitaet Dresden, CN=TU Dresden CA Deutsche Telekom Security GmbH W TLS Server auth certificates should not contain Signing KDC Response usage
1 C=DE, ST=Sachsen, L=Dresden, O=Technische Universitaet Dresden, CN=TU Dresden CA Deutsche Telekom Security GmbH W TLS Server auth certificates should not contain Microsoft Smartcard Login usage
1 C=DE, ST=Bayern, L=Muenchen, O=Max-Planck-Gesellschaft, CN=MPG CA - G02 Deutsche Telekom Security GmbH W BR certificates should be 397 days in validity or less
1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust EV RSA CA 2018 DigiCert W EV certificates should be 397 days in validity or less
1 C=TW, O=行政院, CN=政府伺服器數位憑證管理中心 - G1 Chunghwa Telecom W Name has multiple localityName attributes
1 C=CN, O="TrustAsia Technologies, Inc.", CN=TrustAsia OV TLS Pro CA G3 DigiCert W BR certificates should be 397 days in validity or less
1 C=ES, O=FNMT-RCM, OU=AC Componentes Informáticos Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) E Constraint failure in X520CommonName: ASN.1 constraint check failed: UTF8String: constraint failed (X520CommonName.c:174)
1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2 GlobalSign nv-sa W BR certificates should be 397 days in validity or less
1 C=BR, O=SOLUTI - SOLUCOES EM NEGOCIOS INTELIGENTES S/A, CN=Soluti CA - OV GlobalSign nv-sa W BR certificates should be 397 days in validity or less
1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA DigiCert W Unknown Extension: 2.23.140.1.31
1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA DigiCert W Extension should be critical for KeyUsage
1 C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 DigiCert W Unknown Extension: 1.3.6.1.4.1.11129.2.1.22
1 C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 Deutsche Telekom Security GmbH W BR certificates should be 397 days in validity or less
1 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL CA G3 QuoVadis W TLS Server auth certificates should not contain IPSec Tunnel usage