Risk classification
The certificate risk rating is a scale that assesses and sets a grade for certificates according to the following criteria:
- Encryption algorithm
- Encryption key size
- Signature algorithm
- Certificate authority
- Certificate expiration date
- Number of devices using the certificate
- Certificate responsible
- Certificate status
For each criterion, the certificate for winning or losing a grade and the final result is the sum that the certificate received, reaching the final classification of the certificate.
Certificates are classified according to the security classification table.
Security classification
| Score | Rating |
|---|---|
| More than 80 | A |
| Between 65 and 79 | B |
| Between 50 and 64 | C |
| Between 35 and 49 | D |
| Between 25 and 34 | E |
| Between 0 and 24 | F |
| Less than 0 | NT (Not Trusted) |
What is it for
This rating allows quick assessment of risks in environments where certificates are in use, translating certificate security concepts into a rating that is easy for anyone to understand.
The classification does not restrict the use of certificates. You can use a certificate with a low grade in your systems.
We do not recommend using certificates with low grades in production environments.
How it works
The risk rating of certificates works from a distribution of points based on the security criteria of a certificate. The sum of these points generates a total that fits into one of the tracks, thus giving a final grade.
The evaluated criteria and final scale are listed below:
Classification criteria
Encryption algorithm
| Type | Score |
|---|---|
| DSA | -100 |
| Others | 0 |
Encryption key size
RSA
| Size | Score |
|---|---|
| 4096 bits | +30 |
| 2048 bits | +20 |
| 1024 bits | +10 |
| < 1024 bits | -100 |
EC/ECDSA
| Size | Score |
|---|---|
| 384 bits | +40 |
| 256 bits | +25 |
| 160 bits | +5 |
| < 160 bits | 0 |
Signature algorithm
| Type | Score |
|---|---|
| SHA512 | +30 |
| SHA384 | +20 |
| SHA256 | +10 |
| Others | 0 |
Certificate authority
| Type | Score |
|---|---|
| Has CA | +10 |
| Self-signed | 0 |
Certificate expiration date
| Value | Score |
|---|---|
| Valid | +10 |
| Expired | -100 |
Number of devices using the certificate
| Value | Score |
|---|---|
| Between 0 and 1 devices | +10 |
| Between 2 and 5 devices | +5 |
| More than 5 devices | 0 |
Certificate responsible
| Value | Score |
|---|---|
| Has responsible | +10 |
| Does not have responsible | 0 |
Certificate status
| Value | Score |
|---|---|
| Revoked* | -100 |
| Others | 0 |
*The certificate is also considered revoked when its intermediate or root certificate is revoked.