Understanding Certificate Reports
Certificate reports provide detailed technical information about the X.509 certificates used by your monitored services. These reports help you understand certificate configurations, validate certificate chains, and diagnose connection issues.
Report Structure
Each certificate report displays high-level connection details including the check time, hostname, and connection string. The results summary shows the total count of errors and warnings, certificate expiration status, and overall validation status.
The certificate chain analysis breaks down each certificate from server certificate through intermediates to the root CA. For each certificate, the report shows:
- Common Name and Subject distinguished name
- Issuer information
- Validity period (Not Before and Not After dates)
- Key algorithm (e.g., RSA 2048-bit, ECDSA P-256)
- Signature algorithm
- Subject Alternative Names (SANs) for multi-domain certificates
Understanding the Certificate Chain
The server certificate is the certificate presented directly by your service and should match the hostname you're connecting to. Intermediate certificates sit between the server certificate and root CA, providing an additional layer of security. The root certificate is the trust anchor, and the report indicates whether it's in standard browser and OS trust stores.
The report performs validation checks across the certificate chain:
- Verifying the chain is complete and properly linked
- Checking for expired or expiring certificates
- Validating hostname matches against CN and SANs
- Detecting weak or deprecated cryptographic algorithms
- Checking certificate revocation status
Status Reference
Each validation check in the report is displayed as a color-coded status badge indicating the severity:
- Green (Success) — the check passed successfully.
- Blue (Informational / Recommendation) — an informational notice or a recommendation for improvement.
- Yellow (Warning) — a non-critical issue that may require attention.
- Red (Error) — a critical issue that requires immediate attention.
Expiration
| Status | Severity | Description |
|---|---|---|
| Not Expired | Success | The certificate is within its validity period. |
| Expires Soon | Warning | The certificate is approaching one of your configured expiration alert thresholds. |
| Expired | Error | The certificate has passed its Not After date and is no longer valid. |
| Invalid Expiration Dates | Error | The certificate's Not Before or Not After dates are malformed or invalid. |
Registration Period
| Status | Severity | Description |
|---|---|---|
| Good Reg Period | Success | The certificate's registration period is within normal bounds. |
| Long Reg Period | Informational | The certificate has an unusually long registration period. We recommend registration periods no longer than 90 days. |
Revocation
| Status | Severity | Description |
|---|---|---|
| Not Revoked | Success | The certificate has not been revoked by the issuing CA. |
| Revoked | Error | The certificate has been revoked by the issuing CA and should not be trusted. |
Name Verification
| Status | Severity | Description |
|---|---|---|
| Name Matches | Success | The certificate's Common Name or Subject Alternative Names match the monitored hostname. |
| Name Does Not Match | Error | The certificate does not contain the monitored hostname in its CN or SANs. |
Chain Verification
| Status | Severity | Description |
|---|---|---|
| Trusted | Success | The certificate chain was successfully verified against a known CA or your configured Private CA. |
| Not Trusted | Error | The certificate chain could not be verified. The issuing CA may be unknown, or the chain may be incomplete. |
Signing Algorithm
| Status | Severity | Description |
|---|---|---|
| Recommended Sig Algorithm | Success | The certificate uses a currently recommended signing algorithm (e.g., SHA-256, SHA-384). |
| Good Sig Algorithm | Success | The certificate uses a secure signing algorithm. |
| Unknown Sig Algorithm | Warning | The signing algorithm could not be determined. |
| Weak Sig Algorithm | Error | The certificate uses a weak signing algorithm (e.g., SHA-1) that may not be trusted by all clients. |
| Insecure Sig Algorithm | Error | The certificate uses an insecure signing algorithm (e.g., MD5) that should be replaced immediately. |
Key Algorithm
| Status | Severity | Description |
|---|---|---|
| Recommended Key Algorithm | Success | The certificate uses a recommended key algorithm and key size (e.g., RSA 2048+, ECDSA P-256+). |
| Weak Key Algorithm | Error | The certificate uses a weak key algorithm or insufficient key size. |
| Legacy Key Algorithm | Error | The certificate uses a legacy key algorithm that is no longer considered secure. |
CAA Records
| Status | Severity | Description |
|---|---|---|
| CAA Record Match | Success | A DNS CAA record exists and authorizes the certificate's issuing CA. |
| CAA Specific | Success | A DNS CAA record exists at the host level. |
| CAA Found | Success | DNS CAA records were found for the domain. |
| CAA Not Specific | Informational | DNS CAA records exist, but not at the host level. While this is valid according to the RFC, we recommend CAA records at the same level as the host. |
| CAA Not Found | Warning | No DNS CAA records were found for the domain. Adding CAA records is recommended to prevent unauthorized certificate issuance. |
| CAA Critical Tag | Warning | A CAA record with the critical flag set contains an unrecognized tag. Per RFC 8659, no CA may issue certificates for this domain until the record is resolved. |
| CAA Record Failure | Error | DNS CAA records exist but do not authorize the certificate's issuing CA. |
Certificate Consistency
| Status | Severity | Description |
|---|---|---|
| All Certs Match | Success | All resolved IP addresses returned identical certificates. |
| Ignored Certs Match | Informational | Certificate matching was skipped (e.g., single IP address). |
| Certs Did Not Match | Error | Different IP addresses returned different certificates, indicating an inconsistent deployment. |
Network Connectivity
| Status | Severity | Description |
|---|---|---|
| Network Failure | Error | A network error occurred while connecting to the service. |
| Network Timeout | Error | The connection to the service timed out. |
| STARTTLS Failure | Error | The STARTTLS negotiation failed. The service may not support STARTTLS on this port. |
| SSL Failure | Error | The SSL/TLS handshake failed. The service may not support the expected protocol or cipher suites. |
| DNS Failure | Error | The hostname could not be resolved. Check that the DNS records for this hostname are correct. |
| Private IP Blocked | Error | The hostname resolved to a private or internal IP address. Certificate checks from the public internet are blocked for private IPs to prevent server-side request forgery (SSRF) attacks. |
To monitor services on private networks or internal IP ranges, deploy a monitoring agent in your environment. Monitoring agents enable certificate checks for private IPs by routing connections through your own infrastructure rather than the public internet.
General
| Status | Severity | Description |
|---|---|---|
| EV Certificate | Informational | The certificate is an Extended Validation (EV) certificate. |
| SNI Override | Informational | Server Name Indication (SNI) was overridden for this check. |
| Certificate is invalid | Error | The certificate could not be retrieved or parsed. This typically indicates a network failure or an invalid certificate on the remote server. |
Common Troubleshooting Scenarios
Expired Certificates: Check the Server Certificate Not After date and verify the expiration is in the past. Contact your certificate provider to renew and update the service with the renewed certificate.
Incomplete Chain Warnings: Review the Intermediate Certificates section for missing links between server cert and root. Download and install missing intermediate certificates in the correct order.
Hostname Mismatch Errors: Compare the certificate's Common Name and SANs against the Host field in your connection string. Either update the connection hostname or obtain a certificate for the correct hostname.
Weak Algorithm Warnings: Identify which certificates use deprecated algorithms in the Signature Algorithm or Key Algorithm fields. Replace certificates using MD5, SHA1, or RSA keys smaller than 2048 bits.
Self-Signed or Private CA Issues: Check if the root certificate is trusted. For internal services this may be expected. Ensure your monitoring profile is configured for private CAs if applicable, or consider using a publicly trusted CA for public-facing services.