SSL360® FAQ

This FAQ answers some of the most common questions regarding SSL360®.

What is SSL360®

SSL360® is a SAAS platform for discovery and managing digital certificates from any CA (Certificate Authority). SSL360® finds all your certificates, including the ones you didn’t think you were part of.

Can anyone apply for an SSL360® account?

Sadly, no, you must work for a company and have an associated e-mail address.

Try before you buy!

If you want to explore the magic of SSL360® before you buy, you can sign up for a free 14-day trial account – no strings attached, and no credit card needed!

How soon do I get access to SSL360® after applying for a trial account?

It typically takes 1-2 hours before you receive your login credentials; however, it may take longer outside regular working hours or at weekends.

How come I don’t get access instantly?

We’re an IT security company and won’t give anyone access to insights that can be exploited for malicious purposes; hence, we perform several background checks.

Logging in for the first time!

Click SSL360® on the left-hand menu to reveal a dashboard with all your certificates.

Can SSL360® track internal and public-facing certificates?

As of now, the solution is only able to track and analyze certificates that are public facing.

The SSL360® dashboard!

In your dashboard, you can explore which domains are protected by SSL, when your certificates expire, your suppliers of certificates (CAs), and the validation level (DV low, DV, OV and EV). And, if enabled, the security configuration level of each certificate.

What is DV low?

Certificates we mark as DV Low come from CAs that don’t perform malware or phishing checks before issuing a certificate. In many cases, these CAs are to blame for the persistence of phishing sites.

Filtering options!

From your dashboard, you can inspect and filter among your certificates. For example, you can view which of your certificates;

That will expire within the next 7 or 30 days.

That are issued from a specific CA, e.g., “DigiCert.”

That has a poor grade and needs attention.

How come some of my domains are not included in my domain watchlist?

If our tracking of your domains does not match what your company has registered, the explanation may be as follows:

• The registrar behind your domain doesn’t provide the information needed.
• The owner of the domain is a different legal entity than the one you represent

How to add a new domain for tracking?

Click “View Domains” inside your dashboard to add a new domain to your watchlist. On the page, click the “Add Domain” button to add a single domain or a list of domains from a CSV file.

How to view all certificates issued to a specific domain?

From your domain list view, click on the domain you want to explore.

Why do I see certificates in my account that have nothing to do with my company?

This is a very common scenario with many of our customers. However, it is also one of the most powerful features of SSL360®. SSL360® can detect if one or several domains are included in a certificate that doesn’t belong to your company, also known as “shared certificates.”

Shared Certificates can cause a severe threat to your online presence, especially if they secure some of your business-critical applications – in such cases, you and no one else should control the certificate!

How to delete a domain for tracking and analysis?

If, for some reason, you no longer want us to track certificates on a specific domain, you can use the three dots on the far right of your screen and select remove domain.

Note: By deleting the domain, you also delete all associated certificates.

How are grades calculated?

We refer to the SSL Labs rating guide to explain how we calculate grades.

However, there are a few differences in how we assign grades, as we use CertView, an enterprise version of SSLLabs.

We will not penalize the grade under the following conditions:

• Certificate hostnames don’t match the site hostname (SSL Labs drops the grade to T)
• Certificate has been revoked (SSL Labs drops the grade to F)

SSL Labs runs browser simulation checks and may not penalize the server for using weaker ciphers if the browser simulations determine that the weaker ciphers are not negotiated when establishing the SSL connections. You may therefore see different grades in CertView for the following:

• Use of legacy 64-bit block ciphers (CertView drops the grade to C)
• Use of ciphers that theoretically support forward secrecy (CertView does not reward the server for using these ciphers)
• Use of CBC ciphers with TLS 1.2 or below (CertView drops the grade to F due to the GoldenDoodle vulnerability)

CertView does not test forward secrecy and will not penalize a server if it doesn’t support forward secrecy. SSL Labs caps grades to B and penalizes sites if the server does not support forward secrecy. This assessment is primarily based on the 60+ browser handshake simulations performed during the SSL Labs assessment.

SSL Labs, however, does not penalize sites that use suites that are not capable of providing forward secrecy as long as they are not negotiated during browser handshake simulations forward secrecy depends on a lot of information that cannot be detected remotely, such as the server caching policy of session tickets or the reuse of DH/ECDH keys. While CertView detects ciphers that theoretically support forward secrecy, having such ciphers configured does not guarantee forward secrecy.

Why are some of my certificates graded N/A?

There can be several reasons why we cannot give a grade on a certificate, and the most common reasons are:

• The certificate has been renewed or re-issued and is no longer active on the server we are scanning.
• There is a firewall restriction on the server where the certificate is installed, making it impossible for us to perform a scan.
• The server responded with plain-text HTTP on an HTTPS port.
• There are no secure protocols supported on the server we are scanning.
• The certificate is installed on a not publicly available server.
• The scans we perform are designed to fail when abnormal results are observed. In most cases, this occurs when there are multiple TLS servers behind the same IP address. As a result, we give the grade N/A when we cannot provide accurate results.

How often does SSL360® analyze domains and certificates?

We inspect and analyze every 14 days, but if your company needs it more frequently, we’re happy to work with you.

Do I get a report when an analysis of my domains and certificates has been completed?

Yes, we will e-mail you a detailed report every time we analyze your domains and certificates, so you’ll know what has changed and what to act on.

What is “Grade Δ Since Last Scan”?

When you click on view certificates under Grade Δ Since Last Scan, you will find a list of certificates that have moved either up or down in grade. Icons illustrate the change under the Grade Δ column.

I have a certificate with an unsatisfactory grade; what to do?

Inspect your certificate by clicking on the FQDN name it is issued to. From the certificate information page, look at which SSL and/or TLS protocols your server has activated. If your server still supports SSL protocols, you should immediately disable them. For TLS protocols, you should also disable versions 1.0 and 1.1.

Also, look at our article; What you need to know about TLS 1.3 if you consider activating the latest TLS version.

After optimizing your TLS settings, you should review discovered vulnerabilities, starting with the most severe. To resolve a severity, click on the link to the right, and a detailed explanation will appear, including a description of the threat, impact, and solution.

Can I customize the frequency and the CAs I want to receive expiration warnings about?

You can, of course, by clicking on the settings menu on the left side of the portal and then clicking edit under Account users. From the User Settings Page, click edit top right, and select the frequency you want to receive reminders and, further down, from which CAs.

Note: By default, you will not receive any reminders, so make sure you select YES in the section;

Notification E-mail (after each scan) to start receiving reminders.

How to get insights about sub-domains protected by wildcard certificates?

If enabled in your subscription, SSL360® will help you discover and map sub-domains protected by Wildcard certificates – handy information when the certificate is up for renewal.

Click the certificate’s domain to view the sub-domain enumeration of a specific Wildcard certificate. You’ll see the sub-domains protected by this unique certificate, including HTTPS codes, SSL grades and IPs on the page.

I want to renew a certificate that is about to expire; what should I do?

From your certificate list view, click on the three dots on the far right of your screen and select renew. This will take you to our order page, where you can easily renew your certificate. In case you need assistance choosing the right certificate or help with generating the CSR file, feel free to contact our suppport team; we are, of course, available via phone, chat or e-mail.

Does SSL360® support 2FA?

Yes, it does, and to enable it, don’t hesitate to contact our support team via phone, e-mail, or chat.

TRUSTZONE Support

TRUSTZONE is committed to providing you with the most comprehensive support. Through online documentation, telephone help, and direct e-mail, TRUSTZONE ensures that your questions will be answered in the fastest time possible. For more information, visit our Support Service Level Agreement page.