Introduction

Red Kestrel can carry out SSL certificate audits for your business. We can inventory both your public facing and private SSL certificates and identify those that are invalid, insecure, or not in compliance with your security policy. Using our specialist auditing tools, we can audit small to large deployments with millions of certificates. The results are provided in a detailed report that gives you invaluable management and risk related information such as:

  • Certificates using the weak MD5 algorithm
  • Certificates using Debian weak keys
  • Expired certificates
  • Expiring certificates
  • Untrusted certificates

We use our SSL certificate audit tools to carry out SSL surveys of the most popular websites. For example, we recently created a report for the Alexa top 50,000 websites.

Example Certificate Audit Report

The reports are in HTML and CSV format. The CSV report provides in depth information about each certificate, and the HTML report categorises and summarises the findings. In February 2013, we audited the Alexa top 5000 websites on the Internet. The report results are summarised below.

  • 1742 Websites had Certificates
  • 14 MD5 Certificates
  • 0 Debian Weak Key Certificates
  • 81 Expired Certificates
  • 163 Certificates Expiring Within 90 Days
  • 284 Untrusted Certificates

We used the hostnames as they appear in the Alexa list and did not generate additional hostnames by prefixing 'www' or other values. The Hostname, Issuer, and Common Name fields of the report have been anonymized.

Report Format

The report comes in both HTML and CSV format.

CSV Formatted Report

The CSV report identifies all the certificates discovered and includes the following fields.

  • Host - The host that the certificate was retrieved from.

  • Port - The port number used to connect to the host in order to retrieve the certificate.

  • Issuer - The organisation field of the certificate issuer. The Issuer identifies the CA that issued the certificate.

  • Common Name - The common name field of the certificate subject.

  • Organisation - The organisation field of the certificate subject.

  • Key Size - The size of the certificate's key. Note that NIST recommends that RSA keys should have a minimum key size of 2048 bits.

  • Signature Algorithm - This identifies the algorithm used to sign the certificate..

  • SANS - The subject alternative names field of the certificate. Subject alternative names lets you protect multiple host names with a single SSL certificate.

  • SANS - The subject alternative names field of the certificate. Subject alternative names lets you protect multiple host names with a single SSL certificate.

  • Match - True if the certificate lists the hostname and false otherwise.

  • Trusted - Identifies if the certificate is trusted or not. It uses PKIX path building and validation to determine if the certificate can be trusted. If the certificate is not trusted the INFO field provides information on the reason why.

  • Debian Weak Key - Identifies blacklisted SSL cert keys caused by a bug in the random number generator of the openssl package on Debian based systems.

  • SSL Version - The SSL version used during this connection.

  • Start Date - This is the date the certificate becomes valid.

  • End Date - This is the expiry date of the certificate.

  • Serial Number - This is an integer value assigned to the certificate by the issuing CA. The serial number should be unique for each certificate generated by a particular issuer.

  • Info - This field indicates if the certificate was verified to a trusted root or not and if not a description of the error..

HTML Formatted Report

The HTML report lists all the certificates discovered and groups them into the following categories:

  • Certificate using the weak MD5 algorithm
  • Certificates using Debian weak keys
  • Expired certificates
  • Certificates expiring within 90 days
  • Untrusted certificates
  • All certificates found

SSL Survey of 50,000 Websites

In January 2013 we used our in-house tools to audit the top 50,000 websites from the Alexa 1m list. Here is a brief summary of what we found:

  • 19937 Certificates Found
  • 341 MD5 Certificates
  • 17 Debian Weak Key Certificates
  • 2123 Expired Certificates
  • 1900 Certificates Expiring Within 90 Days
  • 5795 Untrusted Certificates

We used the hostnames as they appear in the Alexa list and did not generate additional hostnames by prefixing 'www' or other values.