We identified one or more issues with your X509 server certificate, which are detailed further below.
This finding usually means that the certificate was emitted with insecure attributes. Common examples include:
Please replace your X509 certificate as soon as possible. Use a certificate from a Certification Authority trusted by modern browsers, which should guarantee it fulfills all security requirements. If you are unsure about choosing a Certificate Authority, we recommend Let’s Encrypt. Let’s Encrypt provides modern X509 certificates at no cost.
If you are using an internal Certificate Authority, or are using self-signed certificates, please ensure that the following requirements are met:
- Use RSA certificates with, at least, 2048-bit key size, or EC certificates with, at least, 256-bit key size;
- Ensure that a strong hash function is used in the certificate digital signature, such as SHA-256;
- Ensure that the
keyUsage attribute has the required flags: Digital Signature and Key Agreement.