SSL Certificate Analysis for uio.no - Security Grade & TLS Configuration

Open Cached · just now

89/100 SECURITY SCORE

Certificate Information

Subject

C=NO, ST=Oslo, O=Universitetet i Oslo, CN=uio.no

Issuer

C=GR, O=Hellenic Academic and Research Institutions CA, CN=GEANT TLS ECC 1

Valid From

September 08, 2025

Valid Until

September 08, 2026 291 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

ECDSA-SHA384

SHA-256 Fingerprint

63:2F:33:D7:FF:AD:20:89:E1:12:70:0A:6A:AD:FC:39:E3:14:B1:C0:1E:D8:61:14:A5:47:B5:09:BC:C2:B5:15

Alternative Names

3 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Weak

frame-ancestors; upgrade-insecure-requests; object-src

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

fullscreen=(self "https://*.uio.no" "https://*.youtube.com" "https://uio.cloud.panopto.eu"), picture-in-picture=(self "https://*.uio.no" "https://uio.cloud.panopto.eu"), interest-cohort=(), browsing-topics=(), join-ad-interest-group=(), run-ad-auction=(), conversion-measurement=(), accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), encrypted-media=(), gamepad=(), geolocation=(), gyroscope=(), layout-animations=(self), legacy-image-formats=(), magnetometer=(), microphone=(), midi=(), oversized-images=(self), payment=(), publickey-credentials-create=(self), publickey-credentials-get=(), speaker-selection=(), sync-xhr=(), unoptimized-images=(self), unsized-media=(self), usb=(), screen-wake-lock=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), hid=(), serial=(), cross-origin-isolated=(), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), keyboard-map=(), navigation-override=(), identity-credentials-get=(), idle-detection=(), local-fonts=(), otp-credentials=(), window-management=(), storage-access=()

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Significantly strengthen CSP directives

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Not Authorized (Potential misconfiguration)

Authorized CAs

harica.gr

Wildcard CAs

harica.gr

Incident Reporting

mailto:[email protected]

CAA Issues

• CRITICAL: Current certificate issuer 'C=GR, O=Hellenic Academic and Research Institutions CA, CN=GEANT TLS ECC 1' is NOT authorized by CAA records. Authorized CAs: harica.gr

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement

Subject Alternative Names

3 domains

uio.no www-int.uio.no www.uio.no