ShowSSL vs. Traditional Tools: What Makes It Different?

ShowSSL Best Practices: Secure Your Website’s Certificates

1. Regularly scan all domains and subdomains

• Schedule ShowSSL scans at least weekly; increase to daily for production or high-risk services.
• Include apex domains, subdomains, staging, and third-party-hosted endpoints (APIs, CDNs).

2. Monitor certificate expiry and renewals

• Configure alerts for a minimum of 30, 14, and 7 days before expiry.
• Verify automated renewal processes (e.g., ACME/Let’s Encrypt) by testing renewals in staging.

3. Enforce strong certificate configuration

• Use ShowSSL to detect weak key sizes (avoid <2048-bit RSA) and deprecated algorithms (e.g., SHA-1).
• Prefer ECDSA (e.g., P-256) where supported for performance and security.

4. Validate certificate chains and trust

• Check for incomplete chains, mismatched intermediates, or use of deprecated roots.
• Ensure OCSP/CRL stapling is enabled and monitored.

5. Check for hostname and SAN coverage

• Confirm certificates include all required DNS names and wildcard coverage if used.
• Avoid overbroad wildcard certificates when possible; prefer specific SAN lists.

6. Enforce TLS protocol and cipher best practices

• Use ShowSSL to identify supported TLS versions; disable TLS 1.0 and 1.1.
• Prefer TLS 1.2+ and TLS 1.3; ensure ciphers follow current recommendations (AEAD ciphers, forward secrecy).

7. Detect mixed-content and HSTS issues

• Verify HTTPS is enforced site-wide and HSTS is configured with an appropriate max-age and includeSubDomains/preload where suitable.
• Use ShowSSL scan results to locate resources served over HTTP.

8. Automate remediation and CI/CD checks

• Integrate ShowSSL checks into CI pipelines to block deployments with misconfigured certificates.
• Automate ticket creation for certificate failures and expiries.

9. Audit private keys and access controls

• Ensure private keys are stored securely (HSMs or managed key services) and rotated after suspected exposure.
• Limit access to certificate management to necessary personnel and log all changes.

10. Keep an inventory and documentation

• Maintain an up-to-date inventory of certificates, owners, expiry dates, and renewal procedures.
• Document emergency procedures for certificate replacement and rollback.

11. Test client compatibility

• Use ShowSSL to identify client compatibility issues (older clients/browsers) and plan for graceful degradation or targeted support.

12. Stay informed and update baselines

• Regularly update security baselines as standards evolve (e.g., CA/B Forum, IETF TLS recommendations).
• Re-scan after CA changes, new intermediate deployments, or key rotations.

Implement these ShowSSL-driven practices to maintain robust certificate hygiene, reduce downtime from expired or misconfigured certificates, and improve overall TLS security posture.