Certificate Transparency & PKI Health

100 points total

Analyzes your domain's certificate ecosystem via CT logs — issuer diversity, wildcard certificate prevalence, certificate lifespans, and CAA compliance.

Checks

Check	Weight	What it measures
Certificate Lifespan `ct_certificate_lifespan`	42 pts	Evaluates the lifespan of certificates issued for your domain; shorter is better.
CAA Compliance `ct_caa_compliance`	38 pts	Cross-references CT log entries against your CAA records to detect unauthorized issuance.
Wildcard Prevalence `ct_wildcard_prevalence`	20 pts	Measures the proportion of wildcard certificates versus per-host certificates.
Issuer Diversity `ct_issuer_diversity`	info	Counts the number of distinct CAs that have issued certificates. Informational — not scored.

Pass / Warn / Fail Logic

Certificate Lifespan

Pass if all certs <= 90 days; warn on mixed lifespans; fail on certs > 398 days.

CAA Compliance

Pass if all certs from authorized CAs; warn on historical mismatches; fail on recent violations.

Wildcard Prevalence

Pass if minimal wildcards; warn on moderate usage; fail on excessive reliance.

Issuer Diversity

Informational only (weight 0). Generates advisory findings.

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

criticalExcessive Issuer Diversityexcessive_issuer_diversity

Establish a centralized certificate policy and consolidate issuance to 1-2 trusted CAs with automated renewal.

criticalExcessive Wildcard Usageexcessive_wildcard_usage

Implement per-service certificate issuance using automated certificate management. Reserve wildcards only where per-host certs are infeasible.

criticalExcessive Certificate Lifespanexcessive_cert_lifespan

Replace long-lived certificates with short-lived automated certificates. No certificate should exceed 398 days, and 90 days is the recommended maximum.

criticalRecent CAA Violationrecent_caa_violation

Immediately investigate certificates from unauthorized CAs. Contact the issuing CA to understand issuance despite CAA restrictions. Consider revoking unauthorized certificates.

criticalWidespread CAA Noncompliancewidespread_caa_noncompliance

Investigate widespread issuance from CAs not authorized by your CAA records; remediate policy or revoke certificates as appropriate.

mediumHigh Issuer Diversityhigh_issuer_diversity

Consolidate certificate issuance to 1-2 preferred CAs across teams and services to reduce operational risk.

mediumHigh Wildcard Usagehigh_wildcard_usage

Reduce reliance on wildcard certificates; prefer per-host or per-service certificates with automation.

mediumLong Certificate Lifespanslong_cert_lifespans

Migrate long-lived certificates to automated short-lived issuance to reduce expiry and compromise exposure risk.

mediumCAA Not Configuredcaa_not_configured

Publish CAA records to restrict which Certificate Authorities can issue certificates for your domain. See your DNS & Domain Security findings for details.

mediumHistorical CAA Mismatchhistorical_caa_mismatch

Review certificates from unauthorized CAs. If your CAA records were added after these certificates were issued, no action is needed — they will age out naturally.

lowModerate Issuer Diversitymoderate_issuer_diversity

Consolidate certificate issuance to 1-2 preferred CAs. This simplifies renewal management, reduces the risk of expired certificates, and makes it easier to enforce consistent certificate policies.

lowModerate Wildcard Usagemoderate_wildcard_usage

Where feasible, transition from wildcard certificates to per-service certificates. Use automated issuance (ACME/Let's Encrypt) to manage the increased certificate count without added operational burden.

lowMixed Certificate Lifespansmixed_cert_lifespans

Migrate remaining manually-renewed certificates to an automated issuance pipeline (ACME protocol with Let's Encrypt or your CA's ACME endpoint).

Public Exposure Brand & Domain Reputation