The certificate risk rating is a scale that assesses and sets a grade for certificates according to the following criteria:
- Encryption algorithm
- Encryption key size
- Signature algorithm
- Certificate authority
- Certificate expiration date
- Number of devices using the certificate
- Certificate responsible
- Certificate status
For each criterion, the certificate for winning or losing a grade and the final result is the sum that the certificate received, reaching the final classification of the certificate.
Certificates are classified according to the security classification table.
|More than 80||A|
|Between 65 and 79||B|
|Between 50 and 64||C|
|Between 35 and 49||D|
|Between 25 and 34||E|
|Between 0 and 24||F|
|Less than 0||NT (Not Trusted)|
What is it for
This rating allows quick assessment of risks in environments where certificates are in use, translating certificate security concepts into a rating that is easy for anyone to understand.
The classification does not restrict the use of certificates. You can use a certificate with a low grade in your systems.
We do not recommend using certificates with low grades in production environments.
How it works
The risk rating of certificates works from a distribution of points based on the security criteria of a certificate. The sum of these points generates a total that fits into one of the tracks, thus giving a final grade.
The evaluated criteria and final scale are listed below:
Encryption key size
|< 1024 bits||-100|
|< 160 bits||0|
Certificate expiration date
Number of devices using the certificate
|Between 0 and 1 devices||+10|
|Between 2 and 5 devices||+5|
|More than 5 devices||0|
|Does not have responsible||0|
*The certificate is also considered revoked when its intermediate or root certificate is revoked.