A Sense of Security Blog

Find Deprecated SSL Certificates in Your Network

Network security admins and website owners:

In case you missed it (and it's been kind of easy to miss), there's an industry-wide move afoot to deprecate less secure SSL certificates.

There are two main issues:

  • An SSL certificate's public key (RSA specifically) should be > 1024 bits long. (Older servers and websites need to be moved off of 1024-bit RSA SSL certificates to 2048-bit certificates.)
  • This SSL certificate should not use SHA-1 (or MD5) hash algorithm for its signature.

These changes are laid out in NIST Special Publication 800-131A, “Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths” (http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf) which provides guidance for transitions to the use of stronger cryptographic keys and more robust algorithms.

Long story short, there are a bunch of certificates out there that need to be updated to safeguard the future of SSL encryption to protect security and privacy.


First step in your remediation efforts:  Locate the certificates

Fortunately, Lumeta IPsonar can help you discover all of the certificates on your network regardless of who issues them.

You can use the API to query for certificates that aren't compliant.  A sample API call to look for certificates with SHA-1 based signatures might look like this (replacing “<your_report_server>” with your report server's IP address or DNS name):


You can also create custom views to render this information in IPsonar.  As an example, a pair of client views is available at: Certificate Remediation Views.


If you need assistance, please contact Lumeta Customer Support and we would be happy to walk you through the process of finding deprecated SSL certificates so you can execute a migration plan to the higher cryptographic standards of 2048-bit SSL certificates and SHA-2 (or equivalent) hash algorithms.