SSL Certificate Analysis for globalsign.com - Security Grade & TLS Configuration

Certificate Information

Subject

UNKNOWN={:asn1_OPENTYPE, <<12, 20, 80, 114, 105, 118, 97, 116, 101, 32, 79, 114, 103, 97, 110, 105, 122, 97, 116, 105, 111, 110>>}, UNKNOWN=578611, UNKNOWN={:asn1_OPENTYPE, <<19, 2, 85, 83>>}, UNKNOWN={:asn1_OPENTYPE, <<19, 13, 78, 101, 119, 32, 72, 97, 109, 112, 115, 104, 105, 114, 101>>}, C=US, ST=New Hampshire, L=Portsmouth, UNKNOWN={:asn1_OPENTYPE, <<19, 32, 50, 32, 73, 110, 116, 101, 114, 110, 97, 116, 105, 111, 110, 97, 108, 32, 68, 114, 105, 118, 101, 44, 32, 83, 117, 105, 116, 101, 32, 49, 53, 48>>}, O=GMO GlobalSign, Inc., CN=www.globalsign.com

Issuer

C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 EV TLS CA 2025

Valid From

October 17, 2025

Valid Until

November 18, 2026 380 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

54:2F:75:5C:B4:3D:C5:CC:8E:7A:7E:71:8C:98:E1:59:19:46:F7:B4:56:8C:AD:B5:A2:9E:E8:21:7B:9C:97:5E

Alternative Names

38 domains

Security Configuration

TLS Protocols

TLS 1.2

Forward Secrecy

Limited (Check cipher configuration)

Warnings

• TLS 1.3 is not supported (recommended)

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

globalsign.com letsencrypt.org

Incident Reporting

mailto:[email protected]

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

38 domains

globalsign.com certified-timestamp.globalsign.com client.globalsign.com college.globalsign.com crl.globalsign.com docs.globalsign.com e-sign.globalsign.com edi.globalsign.com epkipro.globalsign.com hcs.globalsign.com jp.globalsign.com ocngs.globalsign.com operation.globalsign.com profile.globalsign.com regist.globalsign.com rfc3161-timestamp.globalsign.com rfc3161timestamp.globalsign.com seal.globalsign.com secure.globalsign.com shop.globalsign.com ssif1.globalsign.com sslcheck.globalsign.com status.globalsign.com stg-certified-timestamp.globalsign.com support.globalsign.com system.globalsign.com www.globalsign.com api.docs.globalsign.com ctl1.epkipro.globalsign.com ctl1.hcs.globalsign.com ctl1.system.globalsign.com ctl2.hcs.globalsign.com ctl2.system.globalsign.com seal-stg.atlas.globalsign.com seal.atlas.globalsign.com

Other domains in certificate

crl.globalsign.net globalsign.net secure.globalsign.net