Valid Certificates vs. Invalid Certificates in Universities' Servers

There are two major categories of certificates, trusted (valid) and untrusted (invalid). Trusted certificates are those that are signed by a trusted certificate authority (CA). During the TLS connection, the server will send its certificate to the client. We compare the amount of valid and invalid certificates.


Proportion of Self Signed Certificates in Invalid Certificates

Self Signed certificates will not be trusted and will be marked as invalid certificates. In our data we find that many servers contain self signed certificates.


Depth of the chain of trust

Certificate authorities(CA) are entities in the Public Key Infrastructure (PKI) that signs, issues and stores digital certificates. In order to impose hierarchy into PKI, there exist two types of CAs : root CAs and intermediate CAs. In order for a certificate to be considered valid and be trusted, it must have been issued by a CA that is included in the trusted store of the device that is connecting (each device has a list of trusted CAs embedded in its OS). If the certificate was not issued by a trusted CA, the connecting device (eg. a web browser) will then check to see if it can trust the CA that has issue the certificate by checking its issuer, this process continues until either a trusted CA is found or no trusted CA can be found which will cause a security error to be shown to the device. A certificate of depth of one either means that the certificate is self issed (either by a root CA or a self signing entity which we do not trust.) The list of SSL certificates, from the root certificate to the end-user certificate, represents the SSL certificate chain.


Proportion of Expired Certificates in Invalid Certificates

Each certificate has a validity duration specified by two fields "not before" and "not after". Meaning that a certificate will not be valid before the date specified in the "not before" field and after the "not after". We present the number of invalid certificates due to expiration.


The Online Certificate Status Protocol (OCSP) Support Percentage (%)

As certificates can be revoked for a number of reasons. There are a number of ways to check the revocation status of a certificate. The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. We measure the adoption of OCSP in web servers.


Interesting findings

We found out that many of the invalid certificates are advertised from devices such as printers.

We found that the average validity duration of invalid certificates was much higher than valid certificates.