# Certificates

The Certificates section is designed to help you monitor certificates, TLS protocol versions, and cipher suites across your external assets.

## Use Cases

* **Identify certificates that expire soon or have already expired.** These should be updated as soon as possible. Sites using expired certificates may be susceptible to man-in-the-middle attacks by attackers who may be able to intercept traffic from users of the site.
* **Identify deprecated TLS protocol versions and bad ciphers containing known vulnerabilities.** These may affect the security of your website, ranging from Denial of Service attacks to decryption/compromise of traffic.
* **Identify connected hosts.** By extracting fields from the certificate, such as the Common Name and Subject Alternative Name, you can discover other related hostnames.

## Detection

The website scan attempts to establish a TLS connection to open ports and extract the x.509 certificate along with negotiated protocols and ciphers.

## Risk

Risk is assigned to each certificate based on several factors including expiration date/expiration status of certificates, deprecated TLS versions, and known weak or bad cipher suites.

* **High** (<mark style="color:red;">●</mark> Red): Non-valid or expired certificate, or certificate uses high-risk ciphers.
* **Medium** (<mark style="color:yellow;">●</mark> Yellow): Certificate supports weak ciphers.
* **Low** (<mark style="color:green;">●</mark> Green): No significant risks are associated with the certificate.

Certificates rated **High** or **Medium** risk will create [issues](/docs/platform/issues.md).

{% hint style="info" %}
We recommend fixing any **High-risk** issues immediately, and **Medium** risk issues should warrant a look to see if they are an acceptable risk.
{% endhint %}

### Extensions

Certificate extensions are individually rated as well and can be viewed on the [summary page](https://app.halosecurity.com/user/security/website/cert/summary) and within the certificate detail view.

* **Valid**
  * <mark style="color:green;">●</mark> Green: The certificate is valid.
  * <mark style="color:red;">●</mark> Red: The certificate is not valid.
* **Not Expired**
  * <mark style="color:green;">●</mark> Green: The certificate is not currently expired.
  * <mark style="color:red;">●</mark> Red: The certificate has expired.
* **Host Match**
  * <mark style="color:green;">●</mark> Green: The hostname on the certificate appears on its certificate's Common Name or Alternate Names.
  * <mark style="color:red;">●</mark> Red: The hostname of the target does not appear on its certificate's Common Name or Alternate Names.
* **Ciphers**: The rating of the highest risk cipher used by the certificate. Ciphers are individually rated for:
  * <mark style="color:green;">●</mark> Green: Low-risk cipher with no known vulnerabilities.
  * <mark style="color:yellow;">●</mark> Yellow: Medium-risk cipher with weaker encryption standards.
  * <mark style="color:red;">●</mark> Red: High-risk cipher associated with known vulnerabilities.

## Reports

You can easily navigate through the Certificates section to audit the certificates across your attack surface.

* [Overview](https://app.halosecurity.com/user/security/website/cert/): Displays an overview of risk, geographical data, certificate validity, versions, and issuing authorities.
* [Summary](https://app.halosecurity.com/user/security/website/cert/summary): Lists all targets and summarizes the risk status of each certificate.
* [List](https://app.halosecurity.com/user/security/website/cert/list)*:* Lists all targets with details on the certificate's issuer, country, and hostname
* [Calendar](https://app.halosecurity.com/user/security/website/cert/calendar)*:* Displays a calendar view of when certificates expire.
* [Ciphers](https://app.halosecurity.com/user/security/website/cert/ciphers): Lists all ciphers and TLS protocol versions and the corresponding targets.
* [Hosts](https://app.halosecurity.com/user/security/website/cert/hosts): Lists the hostnames that were found in the certificates' Common Name and Subject Alt Names.
* [Changes](https://app.halosecurity.com/user/security/website/cert/changes): Displays the changes found between different scans.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.halosecurity.com/docs/platform/websites/certificates.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.