CABlint recent error summary since 2018-10-14

Some of these may be false-positives. You should review closely before taking action.

# of affected certificates CA CCADB Owner Severity Description
1872 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1872 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 DigiCert W Extension should be critical for KeyUsage
1872 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
1871 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
1871 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 DigiCert W Extension should be critical for KeyUsage
1871 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1796 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 DigiCert W Extension should be critical for KeyUsage
1796 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1796 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
1785 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1785 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
1785 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 DigiCert W Extension should be critical for KeyUsage
1026 C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
1026 C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
710 C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation Authority - G2 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
301 C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G2 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
270 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 QuoVadis W TLS Server auth certificates should not contain IPSec User usage
270 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 QuoVadis W TLS Server auth certificates should not contain IPSec Tunnel usage
270 C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 QuoVadis W TLS Server auth certificates should not contain IPSec End System usage
224 C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications Certification Authority 2 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
200 C=PL, O=home.pl S.A., CN=Certyfikat SSL Asseco Data Systems S.A. (previously Unizeto Certum) W Name has deprecated attribute emailAddress
196 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Name has deprecated attribute emailAddress
173 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
123 C=FR, O=DHIMYOTIS, OU=0002 48146308100036, 2.5.4.97=NTRFR-48146308100036, CN=Certigna Services CA Dhimyotis / Certigna W Name has unknown attribute 2.5.4.97
75 C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL Asseco Data Systems S.A. (previously Unizeto Certum) W commonNames in BR certificate contains U-labels
63 C=JP, O=National Institute of Informatics, CN=NII Open Domain CA - G5 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
48 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
48 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
47 C=PL, O=home.pl S.A., CN=Certyfikat SSL Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
47 C=PL, O=home.pl S.A., CN=Certyfikat SSL Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
36 C=ES, O=CONSORCI ADMINISTRACIO OBERTA DE CATALUNYA, OU=Serveis Públics de Certificació, CN=EC-SectorPublic Consorci Administració Oberta de Catalunya (Consorci AOC, CATCert) W Name has unknown attribute 2.5.4.97
30 C=JP, O=CrossTrust, CN=CrossTrust DV CA4 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
29 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Organization Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Name has deprecated attribute emailAddress
24 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA T-Systems International GmbH (Deutsche Telekom) W TLS Server auth certificates should not contain 1.3.6.1.5.2.3.5 usage
24 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA T-Systems International GmbH (Deutsche Telekom) W Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension
24 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA T-Systems International GmbH (Deutsche Telekom) W TLS Server auth certificates should not contain Microsoft Smartcardlogin usage
23 C=FR, O=Certinomis, 2.5.4.97=NTRFR-433998903, CN=Certinomis - Web CA Certinomis / Docapost W Name has unknown attribute 2.5.4.97
23 C=US, ST=Texas, O=ATT Services Inc, OU=ATT Wi-Fi Services, CN=ATT Wi-Fi Services Managed Device Certificate Authority G3 E Unallowed key usage for RSA public key (Key Agreement)
19 C=PL, O=Dreamcommerce S.A., OU=Dreamcommerce S.A., CN=Shoper® SSL Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
19 C=PL, O=Dreamcommerce S.A., OU=Dreamcommerce S.A., CN=Shoper® SSL Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
16 C=JP, O=INTEC INC., CN=EINS/PKI Public Certification Authority V3 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
10 C=JP, O=CrossTrust, CN=CrossTrust OV CA4 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
10 C=CN, O=China Financial Certification Authority, CN=CFCA OV OCA China Financial Certification Authority (CFCA) W Extension should be critical for KeyUsage
7 C=PL, O=Unizeto Technologies S.A., OU=SpaceSSL Certification Authority, CN=SpaceSSL CA Asseco Data Systems S.A. (previously Unizeto Certum) W Name has deprecated attribute emailAddress
7 C=ES, O=FNMT-RCM, OU=CERES, serialNumber=Q2826004J, CN=AC Administración Pública Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) W Name has unknown attribute 2.5.4.97
7 C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Easy CA Certinomis / Docapost W Name has unknown attribute 2.5.4.97
6 C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization Validation Authority - G2 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
5 C=FR, O=DHIMYOTIS, OU=0002 48146308100036, 2.5.4.97=NTRFR-48146308100036, CN=Certigna Wild CA Dhimyotis / Certigna W Name has unknown attribute 2.5.4.97
5 C=FR, O=KEYNECTIS, CN=CLASS 2 KEYNECTIS CA DocuSign (OpenTrust/Keynectis) W BR certificates should include an HTTP URL of the issuing CA's certificate
5 C=JP, O="Nijimo, Inc.", CN=FujiSSL Public Certification Authority - G1 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
5 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Organization Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
5 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA DigiCert W Unknown Extension: 2.23.140.1.31
5 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Organization Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
5 C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - AA et Agents Certinomis / Docapost W Name has unknown attribute 2.5.4.97
4 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Extended Validation CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
4 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA DigiCert W Extension should be critical for KeyUsage
4 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV 2.0 CA SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
4 C=US, O="Entrust, Inc.", OU=See www.entrust.net/legal-terms, OU="(c) 2012 Entrust, Inc. - for authorized use only", CN=Entrust Certification Authority - L1K Entrust W Extension should be critical for KeyUsage
3 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Class I CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Name has deprecated attribute emailAddress
2 C=CN, O=China Financial Certification Authority, CN=CFCA EV OCA China Financial Certification Authority (CFCA) W Extension should be critical for KeyUsage
2 C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 GoDaddy W Underscore should not appear in DNS names
2 C=FR, O=Certinomis, OU=0002 433998903, CN=Certinomis - Easy CA Certinomis / Docapost W Duplicate SAN entry
2 CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US DigiCert W Unknown Extension: 1.2.840.113635.100.6.48.1
2 C=JP, L=Academe, O=National Institute of Informatics, CN=NII Open Domain CA - G4 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
1 C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications Certification Authority SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
1 C=JP, O=KDDI Web Communications Inc., CN=KDDI Web Communications Certification Authority SECOM Trust Systems CO., LTD. W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
1 C=CH, O=WISeKey, OU=Copyright (c) 2016 WISeKey SA, OU=International, CN=WISeKey CertifyID Advanced Services CA 4 WISeKey W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1 C=DE, OU=VR IDENT, O=FIDUCIA & GAD IT AG, CN=VR IDENT SSL CA 2016 QuoVadis W BR certificates should include an HTTP URL of the issuing CA's certificate
1 C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization Validation Authority - G1 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
1 C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation Authority - G1 SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
1 C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tuğra Sertifikasyon Merkezi, CN=E-Tugra Extended Validated CA e-tugra F ASN.1 Error in X520countryName: BER decoding failed at octet 0: Parse error
1 C=TR, L=Ankara, O=E-Tuğra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş., OU=E-Tuğra Sertifikasyon Merkezi, CN=E-Tugra Extended Validated CA e-tugra W Cowardly refusing to run CAB check due to previous errors
1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 3 Buypass E BR certificates must be 825 days in validity or less
1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 3 Buypass W TLS Server certificates must include serverAuth key purpose in extended key usage
1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 3 Buypass E BR certificates must have subject alternative names extension
1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 3 Buypass E commonNames in BR certificates must be from SAN entries
1 C=NO, O=Buypass AS-983163327, CN=Buypass Class 3 CA 3 Buypass E BR certificates with organizationName must include either localityName or stateOrProvinceName
1 C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
1 C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
1 C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 DigiCert W Duplicate SAN entry
1 C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 GlobalSign E Control character found in String in CPSuri
1 C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 GlobalSign E Control character found in String in CertificatePolicies
1 C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 GlobalSign W Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension
1 C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 GlobalSign W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1 C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Deutsche Post, CN=DPDHL TLS SHA2 CA I3 GlobalSign W Extension should be critical for KeyUsage
1 C=ES, OU=AC CAMERFIRMA, O=AC Camerfirma S.A., serialNumber=A82743287, L=Madrid (see current address at https://www.camerfirma.com/address), CN=Camerfirma Corporate Server II - 2015 AC Camerfirma, S.A. W Unicode organizationName is using deprecated BMPString
1 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA T-Systems International GmbH (Deutsche Telekom) W Name has multiple commonName attributes
1 C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3 QuoVadis W Underscore should not appear in DNS names
1 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Class I CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
1 C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Class I CA SHA2 Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
1 C=PL, O=Unizeto Technologies S.A., OU=SpaceSSL Certification Authority, CN=SpaceSSL CA Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
1 C=CN, O=WoSign CA Limited, CN=WoSign OV SSL CA Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
1 DC=COM, DC=ABB, O=ABB, CN=ABB Issuing CA 8 DigiCert W Extension should be critical for KeyUsage
1 DC=COM, DC=ABB, O=ABB, CN=ABB Issuing CA 8 DigiCert W Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension
1 DC=COM, DC=ABB, O=ABB, CN=ABB Issuing CA 8 DigiCert E Control character found in String in CertificatePolicies
1 DC=COM, DC=ABB, O=ABB, CN=ABB Issuing CA 8 DigiCert E Control character found in String in CPSuri
1 C=DE, ST=Bayern, L=Muenchen, O=Max-Planck-Gesellschaft, CN=MPG CA - G02 T-Systems International GmbH (Deutsche Telekom) W Name has multiple commonName attributes
1 C=CN, O=WoSign CA Limited, CN=WoSign DV SSL CA Asseco Data Systems S.A. (previously Unizeto Certum) W Certificate Policies should not contain notice references
1 C=PL, O=Unizeto Technologies S.A., OU=SpaceSSL Certification Authority, CN=SpaceSSL CA Asseco Data Systems S.A. (previously Unizeto Certum) W Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension
1 C=FR, O=Certinomis, 2.5.4.97=NTRFR-433998903, CN=Certinomis - Web CA Certinomis / Docapost W Duplicate SAN entry
1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Encryption Everywhere DV TLS CA - G1 DigiCert W Underscore should not appear in DNS names
1 C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA DigiCert W Unknown Extension: 1.3.6.1.4.1.11129.2.1.22
1 C=US, O="thawte, Inc.", CN=thawte SHA256 SSL CA DigiCert W commonName is using deprecated TeletexString
1 C=US, O="thawte, Inc.", CN=thawte SHA256 SSL CA DigiCert W organizationName is using deprecated TeletexString
1 C=US, O="thawte, Inc.", CN=thawte SHA256 SSL CA DigiCert W localityName is using deprecated TeletexString
1 C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA SECOM Trust Systems CO., LTD. W BR certificates should include an HTTP URL of the issuing CA's certificate
1 C=TW, O=TAIWAN-CA, OU=Root CA, CN=TWCA Root Certification Authority Taiwan-CA Inc. (TWCA) E SHA-1 not allowed for signing certificates
1 C=ES, O=Firmaprofesional S.A., OU=Security Services, serialNumber=A62634068, CN=AC Firmaprofesional - INFRAESTRUCTURA Autoridad de Certificacion Firmaprofesional W Name has unknown attribute 2.5.4.97
1 C=DE, O=ESO - European Organisation for Astronomical Research, OU=TEC, CN=ESO PKI - G02, emailAddress=trustmaster@eso.org T-Systems International GmbH (Deutsche Telekom) W Extension should be critical for KeyUsage
1 C=DE, O=Max-Planck-Gesellschaft, CN=MPG CA, emailAddress=mpg-ca@mpg.de T-Systems International GmbH (Deutsche Telekom) W Extension should be critical for KeyUsage
1 C=ES, O=IZENPE S.A., OU=BZ Ziurtagiri publikoa - Certificado publico EV, CN=CA de Certificados SSL EV Izenpe S.A. W Name has unknown attribute 2.5.4.97
1 C=ES, O=IZENPE S.A., OU=BZ Ziurtagiri publikoa - Certificado publico EV, CN=CA de Certificados SSL EV Izenpe S.A. W BR certificates should include an HTTP URL of the issuing CA's certificate