# Certificates
The Certificates section is designed to help you monitor certificates, TLS protocol versions, and cipher suites across your external assets.
## Use Cases
* **Identify certificates that expire soon or have already expired.** These should be updated as soon as possible. Sites using expired certificates may be susceptible to man-in-the-middle attacks by attackers who may be able to intercept traffic from users of the site.
* **Identify deprecated TLS protocol versions and bad ciphers containing known vulnerabilities.** These may affect the security of your website, ranging from Denial of Service attacks to decryption/compromise of traffic.
* **Identify connected hosts.** By extracting fields from the certificate, such as the Common Name and Subject Alternative Name, you can discover other related hostnames.
## Detection
The website scan attempts to establish a TLS connection to open ports and extract the x.509 certificate along with negotiated protocols and ciphers.
## Risk
Risk is assigned to each certificate based on several factors including expiration date/expiration status of certificates, deprecated TLS versions, and known weak or bad cipher suites.
* **High** (● Red): Non-valid or expired certificate, or certificate uses high-risk ciphers.
* **Medium** (● Yellow): Certificate supports weak ciphers.
* **Low** (● Green): No significant risks are associated with the certificate.
Certificates rated **High** or **Medium** risk will create [issues](https://docs.halosecurity.com/docs/platform/issues).
{% hint style="info" %}
We recommend fixing any **High-risk** issues immediately, and **Medium** risk issues should warrant a look to see if they are an acceptable risk.
{% endhint %}
### Extensions
Certificate extensions are individually rated as well and can be viewed on the [summary page](https://app.halosecurity.com/user/security/website/cert/summary) and within the certificate detail view.
* **Valid**
* ● Green: The certificate is valid.
* ● Red: The certificate is not valid.
* **Not Expired**
* ● Green: The certificate is not currently expired.
* ● Red: The certificate has expired.
* **Host Match**
* ● Green: The hostname on the certificate appears on its certificate's Common Name or Alternate Names.
* ● Red: The hostname of the target does not appear on its certificate's Common Name or Alternate Names.
* **Ciphers**: The rating of the highest risk cipher used by the certificate. Ciphers are individually rated for:
* ● Green: Low-risk cipher with no known vulnerabilities.
* ● Yellow: Medium-risk cipher with weaker encryption standards.
* ● Red: High-risk cipher associated with known vulnerabilities.
## Reports
You can easily navigate through the Certificates section to audit the certificates across your attack surface.
* [Overview](https://app.halosecurity.com/user/security/website/cert/): Displays an overview of risk, geographical data, certificate validity, versions, and issuing authorities.
* [Summary](https://app.halosecurity.com/user/security/website/cert/summary): Lists all targets and summarizes the risk status of each certificate.
* [List](https://app.halosecurity.com/user/security/website/cert/list)*:* Lists all targets with details on the certificate's issuer, country, and hostname
* [Calendar](https://app.halosecurity.com/user/security/website/cert/calendar)*:* Displays a calendar view of when certificates expire.
* [Ciphers](https://app.halosecurity.com/user/security/website/cert/ciphers): Lists all ciphers and TLS protocol versions and the corresponding targets.
* [Hosts](https://app.halosecurity.com/user/security/website/cert/hosts): Lists the hostnames that were found in the certificates' Common Name and Subject Alt Names.
* [Changes](https://app.halosecurity.com/user/security/website/cert/changes): Displays the changes found between different scans.