Certificate Transparency & PKI Health

90 points total

Combines live HTTPS probes (expiry windows, chain trust, public key strength) with Certificate Transparency over the last 12 months — lifespan mix, wildcard prevalence, CAA alignment, and issuer diversity (informational). Live TLS reads sample the apex and www hostnames first, then a small set of additional resolved hosts when needed. If fewer than half of this category’s designed scorable weight (90 points excluding the informational issuer check) produces scored evidence in a run — for example heavy CT deferral or missing live TLS reads — the category does not contribute a 0–100 subscore to the overall RedScore until coverage is representative; per-check notes and findings may still appear.

Checks

Check	Weight	What it measures
Live Certificate Expiry `ct_cert_expiry_status`	25 pts	Evaluates the soonest live certificate expiry across sampled HTTPS hosts for the domain (not CT log history alone).
TLS Chain Trust `ct_chain_validity`	15 pts	Validates that served certificate chains on sampled HTTPS hosts verify to a trusted root.
Public Key Strength `ct_key_strength`	10 pts	Inspects the live leaf certificate public key on the scanned apex hostname only (never www or auxiliary web-probe hosts). RSA, common NIST curves, and Ed25519/Ed448.
Issuer Diversity `ct_issuer_diversity`	info	Counts distinct CAs issuing certificates in CT over the last 12 months. Informational — not scored.
Wildcard Prevalence `ct_wildcard_prevalence`	10 pts	Measures the share of wildcard certificates among CT-observed certificates in the last 12 months.
Certificate Lifespan (CT) `ct_certificate_lifespan`	15 pts	From CT-observed certificates with valid dates, scores the mix of short-lived (≤90 days), standard commercial (91–398 days), and overlong (>398 days) validity windows.
CAA vs CT Issuance `ct_caa_compliance`	15 pts	Cross-references CT log issuance against DNS CAA policy to detect unauthorized or historical mismatches.

Pass / Warn / Fail Logic

For many checks, earned points follow the verdict: full weight on pass, partial credit on some checks for warn, and none on fail. Where it matters, we spell out the points below.

Live Certificate Expiry

Worst host drives the score: expired or past notAfter fails; within 14 days heavily penalizes; within 30 days partially penalizes; otherwise full credit.

TLS Chain Trust

Worst host drives the score: untrusted, incomplete, or failed TLS handshakes fail; partial credit for non-terminal validation issues (ordering or similar).

Public Key Strength

RSA 2048+, Ed25519/Ed448, or common NIST P-256/P-384/P-521-class curves pass; RSA at or below 1024 fails; intermediate RSA sizes or unrecognized curves receive generous partial credit (modern browsers often still accept the observed parameters).

Issuer Diversity

Informational only (weight 0). Generates advisory findings.

Wildcard Prevalence

Pass when wildcards are under 40% of certificates; light deduction 40–45%, moderate 45–75%, and a higher floor above 75% (CDN/SaaS wildcard-heavy programs remain common). Confidence scales down when fewer than five certificates appear in the window.

Certificate Lifespan (CT)

Mean per-cert weight: 1.0 for ≤90 days, 0.85 for 91–398 days, 0.0 for >398 days. Fails when any certificate exceeds 398 days; informational signal when only standard commercial lifetimes appear.

CAA vs CT Issuance

Pass when issuance aligns with CAA; strong partial credit when CAA is not published (cannot prove violations); softer deduction on historical mismatches; fail on recent violations or widespread noncompliance.

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

criticalLive Certificate Expiredct_cert_expired

Renew or replace expired certificates immediately and confirm the new certificate is served on every affected host.

criticalUntrusted or Incomplete Chainct_chain_untrusted_or_incomplete

Install the full intermediate chain at the edge, ensure the leaf matches the hostname, and verify the path chains to a publicly trusted root.

criticalExcessive Issuer Diversityexcessive_issuer_diversity

Establish a centralized certificate policy and consolidate issuance to 1-2 trusted CAs with automated renewal.

criticalExcessive Wildcard Usageexcessive_wildcard_usage

Implement per-service certificate issuance using automated certificate management. Reserve wildcards only where per-host certs are infeasible.

criticalExcessive Certificate Lifespanexcessive_cert_lifespan

Replace long-lived certificates with short-lived automated certificates. No certificate should exceed 398 days, and 90 days is the recommended maximum.

criticalRecent CAA Violationrecent_caa_violation

Immediately investigate certificates from unauthorized CAs. Contact the issuing CA to understand issuance despite CAA restrictions. Consider revoking unauthorized certificates.

criticalWidespread CAA Noncompliancewidespread_caa_noncompliance

Investigate widespread issuance from CAs not authorized by your CAA records; remediate policy or revoke certificates as appropriate.

highCertificate Expiring Within 14 Daysct_cert_expiring_14d

Complete renewal within days; validate automated renewal and post-deploy chain serving.

highWeak Certificate Keyct_key_strength_weak

Re-issue certificates using at least RSA 2048 or ECDSA P-256/P-384; retire weak keys at renewal.

mediumCertificate Expiring Within 30 Daysct_cert_expiring_30d

Schedule renewal soon; confirm monitoring alerts fire before shorter windows.

mediumChain Ordering or Validation Issuect_chain_ordering_or_validation_issue

Review certificate order on the wire, intermediate completeness, and hostname/SAN coverage; re-test with a TLS verifier after changes.

mediumKey Strength Indeterminatect_key_strength_indeterminate

Confirm key type, size, and curve in your CA or ACME pipeline; prefer well-supported RSA 2048+ or P-256/P-384 curves.

mediumHigh Issuer Diversityhigh_issuer_diversity

Consolidate certificate issuance to 1-2 preferred CAs across teams and services to reduce operational risk.

mediumHigh Wildcard Usagehigh_wildcard_usage

Reduce reliance on wildcard certificates; prefer per-host or per-service certificates with automation.

mediumLong Certificate Lifespanslong_cert_lifespans

Migrate long-lived certificates to automated short-lived issuance to reduce expiry and compromise exposure risk.

mediumCAA Not Configuredcaa_not_configured

Publish CAA records to restrict which Certificate Authorities can issue certificates for your domain. See your DNS & Domain Security findings for details.

mediumHistorical CAA Mismatchhistorical_caa_mismatch

Review certificates from unauthorized CAs. If your CAA records were added after these certificates were issued, no action is needed — they will age out naturally.

lowStandard Commercial Lifetimescommercial_cert_lifespans

91–398 day certificates are common operationally; consider shorter automated issuance where feasible to reduce exposure windows.

lowModerate Issuer Diversitymoderate_issuer_diversity

Consolidate certificate issuance to 1-2 preferred CAs. This simplifies renewal management, reduces the risk of expired certificates, and makes it easier to enforce consistent certificate policies.

lowModerate Wildcard Usagemoderate_wildcard_usage

Where feasible, transition from wildcard certificates to per-service certificates. Use automated issuance (ACME/Let's Encrypt) to manage the increased certificate count without added operational burden.

lowMixed Certificate Lifespansmixed_cert_lifespans

Migrate remaining manually-renewed certificates to an automated issuance pipeline (ACME protocol with Let's Encrypt or your CA's ACME endpoint).

Public Exposure Brand & Domain Reputation