Invalid SSL Certificate
Description
The server is presenting a TLS/SSL certificate that is either expired or not yet valid based on its defined validity period. This occurs when the current date falls outside the certificate's notBefore and notAfter timestamps.
When browsers or client applications encounter an invalid certificate, they typically display security warnings that users must bypass manually, or they may refuse the connection entirely. This issue may affect the server's leaf certificate or any intermediate certificate in the chain.
Review the certificate serial number in the finding details to identify which specific certificate in the chain is causing this validation failure.
Remediation
Replace the invalid certificate with a valid one that has appropriate validity dates. Follow these steps to remediate:
1. Identify the affected certificate by locating the serial number mentioned in the finding details within your certificate chain.
2. If the certificate has expired, obtain a new certificate from your Certificate Authority (CA) or generate a new self-signed certificate if appropriate for your environment.
3. If the certificate is not yet valid, either wait until the notBefore date or request a certificate with an immediate start date from your CA.
4. Install the new certificate on your server, ensuring the complete certificate chain (including intermediate certificates) is properly configured.
5. Verify the installation using SSL testing tools such as OpenSSL:
openssl s_client -connect yourdomain.com:443 -showcerts6. Set up automated monitoring and renewal processes to prevent future expirations. Consider using automated certificate management tools like Certbot for Let's Encrypt certificates, or implement calendar reminders at least 30 days before expiration for manually managed certificates.