Certificate Is Expired

Name in API: tlscert_expired
Severity: Low
Factor: Network Security

Summary

This issue type indicates that the TLS certificate used for secure communication has expired. While connections may still be established, browsers and clients will display security warnings, as the Certificate Authority(CA) can no longer verify the certificate’s legitimacy. This can lead to trust issues, potential security risks, and service disruptions.

How Does It Work?

• The client sends a message to the server indicating its support for the various TLS versions and encrypted ciphers.
• Then the server responds with the message that contains the TLS version, encryption cipher, and digital certificate.
• The server then verifies the server certificate to ensure that the trusted CA issues it.
• TLS has a value of 2 years, which is no longer trusted by CA once it expires, and thus the verification fails when the client tries to connect with the server.

Why Is It a Risk?

An expired TLS certificate is a security risk because it weakens encryption trust, making users vulnerable to man-in-the-middle (MITM) attacks. Browsers flag expired certificates, causing users to ignore warnings or abandon the site. Attackers can exploit expired certificates to intercept data or impersonate websites. Additionally, APIs and services may reject connections, leading to disruptions. Regular renewal ensures secure, uninterrupted communication and maintains trust with users and clients.

Self Evaluation

You may validate the presence/absence of the expired certificate on the endpoint by using the following 3rd Party tools. All can be used to confront contradictory results. However, when comparing results, ensure that the endpoint scanned by each is the same information and matches the SecurityScorecard finding.

sslscan

sslscan https://expired.badssl.com

OpenSSL

openssl s_client -connect expired.badssl.com:443 -servername expired.badssl.com 2>/dev/null | openssl x509 -noout -dates
notBefore=Apr 9 00:00:00 2015 GMT
notAfter=Apr 12 23:59:59 2015 GMT

Website Error

How to mitigate

Expired TLS certificates primarily cause security warnings, not connection blocks, damaging user trust. Prioritize prevention through automated renewals (e.g., Let's Encrypt), vigilant monitoring, and accurate certificate inventories.

• Renew the certificate

  • Obtain a new TLS certificate from a trusted Certificate Authority (CA)

  • If using Let’s Encrypt, run an ACME client (e.g., Certbot) to renew.

• Manually Trust the Certificate (Temporary Workaround)

  • In browsers, users can bypass the warning, but this is not recommended for security reasons.

  • For internal systems, add the certificate to the trusted store (only if it's a controlled environment)

• Restart Services:

  • After installing the new certificate, restart web servers (Nginx, Apache) or application services.

Preventative Measures:

• Use scripts or ACME clients for auto-renewal.

• Set up alerts via tools like Nagios, Zabbix, or SSL monitoring services

• Using a CMS that helps track and renew certs across multiple services.

sslscan

Remediation

1. Endpoint configuration has been changed, and the tlscert_expired has been added to the endpoint.
   => Select the finding and then click on the "Fixed" button, "technical_remediation".
2. The endpoint has been closed and therefore the endpoint is unreachable (or serving a 400/404)
   => Select the finding and then click on the "Fixed" button, "technical_remediation".
3. After verification (using the methods above, for example), the endpoint defined in the finding does have a certificate updated and is contrary to what SecurityScorecard is stating.
   => Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue, and I think it’s incorrect," "false_positive."