The certificate risk rating is a scale that assesses and sets a grade for certificates according to the following criteria:
- Encryption algorithm
- Encryption key size
- Signature algorithm
- Certificate authority
- Certificate expiration date
- Number of devices using the certificate
- Certificate responsible
- Certificate status
For each criterion, the certificate can gain or lose points. The final result is the sum of the points the certificate has received. This classification allows rapid risk assessment in environments where certificates are in use.
Security rating
Score |
Rating |
More than 80 |
A |
Between 65 and 79 |
B |
Between 50 and 64 |
C |
Between 35 and 49 |
D |
Between 25 and 34 |
E |
Between 0 and 24 |
F |
Less than 0 |
NT (Not Trusted) |
The classification does not restrict the use of certificates. You can define whether or not to use a low-rated certificate on your systems.
Warning
We do not recommend using low-rated certificates in productive environments.
Rating criteria
The sum of the criteria below generates a total that falls within one of the ranges, resulting in the final security rating of the certificate.
Encryption algorithm
Type |
Score |
DSA |
-100 |
Others |
0 |
Encryption key size
RSA
Size |
Score |
4096 bits |
+30 |
2048 bits |
+20 |
1024 bits |
+10 |
< 1024 bits |
-100 |
EC/ECDSA
Size |
Score |
384 bits |
+40 |
256 bits |
+25 |
160 bits |
+5 |
< 160 bits |
0 |
Signature algorithm
Type |
Score |
SHA512 |
+30 |
SHA384 |
+20 |
SHA256 |
+10 |
Others |
0 |
Certificate authority
Type |
Score |
Has CA |
+10 |
Self-signed |
0 |
Certificate expiration date
Value |
Score |
Valid |
+10 |
Expired |
-100 |
Number of devices using the certificate
Value |
Score |
Between 0 and 1 devices |
+10 |
Between 2 and 5 devices |
+5 |
More than 5 devices |
0 |
Certificate responsible
Value |
Score |
Has responsible |
+10 |
Does not have responsible |
0 |
Certificate status
Value |
Score |
Revoked* |
-100 |
Others |
0 |
Warning
The certificate is considered revoked when its intermediate or root certificate is revoked.