SSL Certificate Analysis for pfmam.com - Security Grade & TLS Configuration

Certificate Information

Subject

C=US, ST=Minnesota, L=Minneapolis, O=U.S. Bank National Association, CN=www.pfmam.com

Issuer

C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1

Valid From

December 04, 2025

Valid Until

January 04, 2027 347 days

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

61:A3:07:9E:15:1A:52:A6:D3:5E:5C:47:E0:A4:7A:17:62:26:70:45:50:37:0C:18:25:21:F2:20:CD:42:08:B6

Alternative Names

79 domains

Security Configuration

TLS Protocols

TLS 1.2

Forward Secrecy

Limited (Check cipher configuration)

Warnings

• TLS 1.3 is not supported (recommended)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Missing

Not configured

X-Content-Type-Options

Missing

Not configured

Referrer-Policy

Missing

Not configured

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Add Content-Security-Policy header to prevent XSS attacks
• Add X-Frame-Options: DENY or SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff
• Add Referrer-Policy header (recommended: strict-origin-when-cross-origin)
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Authorized (Matches CAA policy)

Authorized CAs

entrust.net digicert.com

Incident Reporting

mailto:[email protected]

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• Consider adding 'issuewild' records to control wildcard certificate issuance

Subject Alternative Names

79 domains

pfmam.com am-api-dr.pfmam.com am-api.pfmam.com am-auth-dr.pfmam.com am-auth.pfmam.com connect-dr.pfmam.com connect.pfmam.com dr-secureauth.pfmam.com mmst-dr.pfmam.com mmst.pfmam.com secureauth.pfmam.com www-dr.pfmam.com www.pfmam.com

Other domains in certificate

bondresourcepartners.com www-dr.bondresourcepartners.com www.bondresourcepartners.com

camponline.com www-dr.camponline.com www.camponline.com

csipinvest.com www-dr.csipinvest.com www.csipinvest.com

epicfundny.com www.epicfundny.com

fl-palm.com www-dr.fl-palm.com www.fl-palm.com

govmic.org www-dr.govmic.org www.govmic.org

iiit.us www-dr.iiit.us www.iiit.us

investncip.com www-dr.investncip.com www.investncip.com

ipdlaf.org www-dr.ipdlaf.org www.ipdlaf.org

magicfund.org www-dr.magicfund.org www.magicfund.org

milaf.org www-dr.milaf.org www.milaf.org

mosip.org www-dr.mosip.org www.mosip.org

msdlaf.org www-dr.msdlaf.org www.msdlaf.org

nhpdip.com www-dr.nhpdip.com www.nhpdip.com

njarm.com www-dr.njarm.com www.njarm.com

nlafpool.org www-dr.nlafpool.org www.nlafpool.org

paisboainvest.com www.paisboainvest.com

pfmassetmanagement.com www-dr.pfmassetmanagement.com www.pfmassetmanagement.com

plgit.com www-dr.plgit.com www.plgit.com

texas-range.com www-dr.texas-range.com www.texas-range.com

dr-seclend.usbank.com seclend.usbank.com

vasnap.com www-dr.vasnap.com www.vasnap.com

wgif.org www-dr.wgif.org www.wgif.org