Skip to main content

Certificate Is Self-Signed

Rahul
  • Updated
    Name in API: tlscert_self_signed
    Severity: Low
    Factor: Network Security

     

    Question

    What is a Certificate Is Self-Signed tlscert_self_signed Issue Type and why does SecurityScorecard consider this as an issue?

    Answer

    This issue type refers to assets that have SSL/TLS Certificates but are not signed by a Public CA (Certificate Authority), instead they are either signed by an organization's internal CA or a local machine.

    We consider this an issue because web clients (like browsers) have a list of authorized CAs that are added to their database. When an SSL/TLS Cert that is not signed by those CAs is read by the browser, it will not be able to recognize it and a warning like below will be displayed by the browser:

    Screenshot 2025-03-19 at 11.13.44 AM.png

    This can be an issue because attackers can use this blind trust to launch MiTM attacks and the end users can be served with malicious endpoint.

    General rule is that if the endpoint is made public, it must have a certificate signed by a public CA.

     

    How to mitigate

    Use well known CAs to get your SSL Certs signed. Some of the CAs (not in any particular order) that we accept are as follows:

      • DigiCert
      • GlobalSign
      • GTS
      • Amazon Root CA
      • Comodo /Sectigo
      • Let’s Encrypt
      • GoDaddy
      • Entrust
      • GeoTrust
      • SwissSign
      • Starfield
      • Certum
      • QuoVadis

    Remediation

    SecurityScorecard allows the removal of findings if either of the following is true:

    • Endpoint configuration has been changed, the Self Signed Certificate is not offered anymore.
      => Select the finding and then click on the "Fixed" button, "technical_remediation".
    • The endpoint has been closed and therefore not offering a Self Signed SSL/TLS Cert.
      => Select the finding and then click on the "Fixed" button, "technical_remediation".
    • After verification (using the methods above for example), the endpoint defined in the finding does not offer a Self Signed SSL/TLS Certificate in the contrary of what SecurityScorecard is stating.
      => Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive".
    • If endpoint with a Self Signed SSL/TLS Certificate in question is not accessible through a browser and is meant to only be connected via specific clients (like VOIP for example).
      => Select the finding and then click on "Other resolutions" --> "I have a compensating control", "Compensating Control"

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.