0
Back to scan results
Check 2 of 24

SSL/TLS Certificate Validity

We complete a TLS handshake on port 443, capture the certificate the server presents, and inspect six things: dates, issuer chain, hostname binding, key length, key algorithm, and signature hash.

What this check probes

  • Validity period — NotBefore and NotAfter. We flag certs that are expired, not yet valid, or expiring within 14 days.
  • Hostname match — the scanned domain must appear in the Common Name or a Subject Alternative Name (SAN). Modern browsers ignore CN entirely; SAN is the only field that matters.
  • Chain trust — the leaf certificate must chain to a public root in the Mozilla/Microsoft trust store. Self-signed certificates fail. Missing intermediates also fail.
  • Public key size — RSA < 2048 bits or ECDSA < 256 bits is rejected.
  • Signature algorithm — anything signed with MD5 or SHA-1 fails. SHA-256 or stronger is required.
  • Issuer — recorded but not failed (e.g., Let's Encrypt, DigiCert, Sectigo).

Why this matters for PCI DSS

PCI DSS 4.0 Requirement 4.2.1 requires "trusted keys and certificates" on any system that transmits cardholder data over open networks. An expired, mismatched, or self-signed certificate fails this requirement outright.

Beyond the spec: a broken certificate triggers browser warnings that train customers to ignore security indicators, increasing the practical risk of a successful man-in-the-middle attack. A weak key (RSA-1024, MD5 signature) is potentially forgeable today.

How to fix it

Free, automated, recommended — use Let's Encrypt via certbot. It handles issue, install, and 90-day renewal automatically:

sudo certbot --nginx -d example.com -d www.example.com
# or for Apache:
sudo certbot --apache -d example.com -d www.example.com

Renewal runs from a systemd timer or cron — verify with sudo certbot renew --dry-run.

Windows / IIS — install win-acme, run wacs.exe, pick your IIS site from the menu. It auto-installs the cert and creates a scheduled task for renewal.

Hostname mismatch — reissue the cert with every hostname your site answers on, listed as SANs. If you serve example.com and www.example.com, both must be in the certificate.

Verify your fix:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \
    | openssl x509 -noout -dates -subject -issuer

For a deep audit, run a full scan at SSL Labs — aim for an A or A+ grade.

Fixed it? Re-run the scan to confirm.

Run scan again