SSL Certificate Analysis for docs.live.net - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=WA, L=Redmond, O=Microsoft Corporation, CN=storage.live.com

Issuer

C=US, O=Microsoft Corporation, CN=Microsoft Azure RSA TLS Issuing CA 08

Valid From

October 02, 2025

Valid Until

March 31, 2026 141 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA384-RSA

SHA-256 Fingerprint

0D:4D:2A:D8:2C:DC:7E:A3:BB:10:CA:30:4A:71:A0:3C:37:2A:0D:9B:37:B4:1D:49:C7:AA:FB:A0:B3:51:ED:79

Alternative Names

137 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Basic

object-src; base-uri; script-src; +2 more

X-Frame-Options

Excellent

deny

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Improve CSP by adding more specific directives and removing 'unsafe-inline'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

137 domains

api-df.live.net api.live.net apis.live.net config.live.net df-config.live.net docs-df.live.net docs.live.net l-df.live.net l.live.net policies.live.net s2s-policies.live.net s2s-settings.live.net s2s-skyapi-df.live.net s2s-skyapi.live.net settings.live.net skyapi-df.live.net skyapi.live.net *.apis.live.net *.config.live.net *.df-config.live.net *.docs-df.live.net *.docs.live.net *.policies.live.net *.s2s-policies.live.net *.s2s-settings.live.net *.settings.live.net *.slps.live.net df.policies.live.net df.s2s-policies.live.net df.s2s-settings.live.net df.settings.live.net *.df.policies.live.net *.df.s2s-policies.live.net *.df.s2s-settings.live.net *.df.settings.live.net d.bl3301.docs.live.net d.bl3302.docs.live.net

Other domains in certificate

*.1drv.com *.adminsvc.i001.1drv.com *.adminsvc.p001.1drv.com *.am.files.1drv.com *.api.p001.1drv.com *.bl.files.1drv.com *.bn.files.1drv.com *.by.files.1drv.com *.camp.i001.1drv.com *.ch.files.1drv.com *.config.i001.1drv.com *.cy.files.1drv.com *.db.files.1drv.com *.deploymgr.p001.1drv.com *.dm.files.1drv.com *.files-df.1drv.com *.files.1drv.com *.gls.i001.1drv.com *.job.p001.1drv.com *.keymaster.i001.1drv.com *.keymaster.p001.1drv.com *.lps.i001.1drv.com *.ph.files.1drv.com *.s2s-files-df.1drv.com *.s2s-files.1drv.com *.sn.files.1drv.com *.wstcrs.i001.1drv.com *.wstlm.1drv.com

1drv.ms

ssw.live-int.com

api-df.live.com api.live.com *.cobalt.df.storage.live.com *.cobalt.storage.live.com dev.live.com device.ra.live.com df.s2s-storage.live.com *.df.s2s-storage.live.com df.storage.live.com *.df.storage.live.com oauth.live.com *.ra.live.com s2s-storage.live.com *.s2s-storage.live.com skyapi.newdrive.live.com skyapi.onedrive.live.com skyapi.skydrive.live.com ssw.live.com storage.live.com *.storage.live.com *.users.df.storage.live.com *.users.storage.live.com

*.cobalt.df.storage.msn.com *.cobalt.storage.msn.com *.df.storage.msn.com storage.msn.com *.storage.msn.com *.users.df.storage.msn.com *.users.storage.msn.com

*.api.onedrive.com df.api.onedrive.com *.df.api.onedrive.com df.people.onedrive.com df.s2s-api.onedrive.com *.df.s2s-api.onedrive.com *.onedrive.com s2s-api.onedrive.com *.s2s-api.onedrive.com

sdrv.ms