What to Do If You Find an Unauthorized Certificate: A Complete Response Guide

Discovering an unauthorized SSL/TLS certificate issued for your domain can be alarming. It may indicate a security breach, compromised accounts, a rogue employee, or even a mis-issuance by a Certificate Authority. Regardless of the cause, rapid and systematic response is critical to protect your organization and prevent potential attacks.

This comprehensive guide walks you through exactly what to do when you find an unauthorized certificate, from initial verification through long-term preventive measures.

Step 1: Verify the Certificate is Truly Unauthorized

Before sounding the alarm, confirm that the certificate is actually unauthorized. False alarms are common, and verification prevents wasting time on legitimate certificates.

Internal Verification Checklist

Check with Your IT Team: Query your IT, DevOps, and infrastructure teams. Common scenarios that may appear unauthorized but aren't:

• Automated certificate management: Tools like Let's Encrypt Auto and Certbot may automatically renew certificates without manual approval each time
• Development/staging environments: Developers may have provisioned certificates for testing without notifying central IT
• Department-level services: Marketing, sales, or other departments may have spun up services with their own certificates
• Legacy services: Old certificates from previous administrators that were never documented
• Acquired assets: Services from company acquisitions or mergers that weren't fully integrated into central management

Review Certificate Management Systems: Check your certificate management platform or inventory system. The certificate may have been legitimately requested but not properly documented.

Examine Certificate Details: Look at the certificate information:

• Subject Alternative Names (SANs): Does it cover subdomains you recognize?
• Organization information: Does it list your organization correctly?
• Validity period: Is it consistent with your certificate policies?
• Certificate Authority: Is it a CA your organization uses?

Timeline Correlation: When was the certificate issued? Correlate this with:

• Infrastructure changes
• Service deployments
• Staff changes
• Security incidents

Documentation

If you determine the certificate is legitimate but was poorly documented, use this as an opportunity to improve processes:

• Add it to your certificate inventory
• Document who requested it and why
• Update your certificate management procedures
• Ensure proper change management for future certificates

If after thorough investigation the certificate is confirmed as unauthorized, proceed with the incident response steps below.

Step 2: Assess the Immediate Threat

Before taking action, understand the potential threat level:

Critical Questions

Is the certificate actively in use?

• Check DNS records—does the domain/subdomain resolve to an IP address?
• Visit the URL—is there an active website or service?
• Use network tools to test if the certificate is being served

What domains are affected?

• Review all Subject Alternative Names on the certificate
• Identify whether it's a single domain, multiple subdomains, or a wildcard certificate

What type of certificate is it?

• Domain Validated (DV): Only proves domain control
• Organization Validated (OV): Includes organization verification
• Extended Validation (EV): Highest validation level

When does it expire?

• Immediate threat: Certificate valid for months or a year
• Time-limited threat: Certificate expiring within days/weeks

Where is the service hosted?

• Resolve the IP address and identify hosting provider
• Determine geographic location
• Check if it's on your infrastructure or external

Threat Scenarios

High-Risk Scenarios (Immediate escalation required):

• Certificate used for active phishing site impersonating your organization
• Certificate on infrastructure you don't control
• Wildcard certificate covering all your subdomains
• Extended Validation certificate falsely claiming to represent your organization
• Evidence of active user traffic to unauthorized service

Medium-Risk Scenarios (Urgent but not immediate):

• Certificate issued but no active service detected
• Certificate for specific subdomain on unknown infrastructure
• Recently issued certificate (may indicate attack in preparation)

Lower-Risk Scenarios (Standard response):

• Expired or near-expiring certificate
• Certificate issued in error by CA
• Certificate on your own infrastructure but improperly authorized

Step 3: Contain the Immediate Threat

For high-risk scenarios, take immediate containment actions:

If on Your Infrastructure

Disable the service immediately:

• Take down the web server
• Disable the certificate in your load balancer
• Block network access to the service
• Preserve evidence for investigation

Revoke network access:

• Update firewall rules
• Disable routing
• Ensure no traffic reaches the unauthorized service

If on External Infrastructure

You cannot directly shut down external services, but you can:

Control DNS:

• If you control the DNS records pointing to the unauthorized service, immediately remove them
• This prevents users from reaching the service via your domain

Document everything:

• Screenshot the site
• Save HTML source
• Document certificate details
• Record IP addresses and hosting information
• Capture WHOIS data

This evidence will be needed for reporting and legal action.

Step 4: Contact the Certificate Authority

Reporting to the Certificate Authority is a critical step in responding to unauthorized certificates.

How to Identify the CA

The certificate itself shows which CA issued it. Common CAs include:

• Let's Encrypt
• DigiCert
• Sectigo (formerly Comodo)
• GlobalSign
• GoDaddy
• Entrust

Reporting Procedure

Gather Required Information:

• Certificate serial number
• Domain name(s) affected
• Date of issuance
• Evidence that you own the domain (WHOIS, DNS records)
• Explanation of why the certificate is unauthorized

Find the CA's Abuse Contact: Most CAs have dedicated abuse or mis-issuance reporting addresses:

• Let's Encrypt: Report through their community forum or email
• DigiCert: [email protected]
• Sectigo: [email protected]
• GlobalSign: [email protected]

Check the CA's website for the current reporting contact.

Submit the Report: Send a detailed report including:

• Your contact information
• Proof of domain ownership
• Certificate details (serial number, issuance date)
• Explanation of why the certificate is unauthorized
• Request for immediate revocation

Template Email:

Subject: Unauthorized Certificate Mis-Issuance Report - [Domain Name]

Dear [CA] Security Team,

I am writing to report an unauthorized certificate issued for a domain owned by our organization.

Domain: [domain name]
Certificate Serial Number: [serial number]
Issuance Date: [date]
Organization: [your organization name]

We own the domain [domain name] as evidenced by [WHOIS records/DNS control/other proof]. We did not authorize the issuance of this certificate, and it may represent a security incident or account compromise.

We request immediate revocation of this certificate.

[Attach evidence: screenshots, certificate details, domain ownership proof]

Contact: [your contact information]

Thank you for your prompt attention to this matter.

Expected Response Time

CAs take mis-issuance reports seriously:

• Initial response: Within 24-48 hours
• Investigation: 1-5 business days
• Revocation (if confirmed): Immediately upon verification

Follow Up: If you don't receive a response within 48 hours, escalate through additional channels:

• CA's security team direct phone line
• CA/Browser Forum reporting
• Email to CA executives
• Social media (for visibility)

Step 5: Implement CAA Records

DNS Certification Authority Authorization (CAA) records are your most powerful preventive tool against future unauthorized certificate issuance.

What Are CAA Records?

CAA records are DNS records that specify which Certificate Authorities are authorized to issue certificates for your domain. Starting in 2017, CAs are required to check CAA records before issuing certificates.

How CAA Records Work

Before issuing a certificate, the CA must:

1. Query your domain's CAA records
2. Check if they are listed as authorized
3. Refuse to issue if not authorized (or if another CA is exclusively authorized)

If no CAA records exist, any CA can issue certificates. If CAA records exist, only listed CAs can issue certificates.

Implementing CAA Records

Step 1: Identify Authorized CAs

Determine which CAs your organization legitimately uses:

• Review current certificates
• Check procurement/vendor relationships
• Consult with IT teams

Step 2: Create CAA Records

CAA records have this format:

example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issuewild "letsencrypt.org"

Record components:

• 0: Flags (usually 0)
• issue: Allows issuance for the domain
• issuewild: Allows wildcard certificate issuance
• "ca-domain.com": The authorized CA

Prohibit all issuance:

example.com. CAA 0 issue ";"

Step 3: Add to DNS

Add CAA records through your DNS provider's management interface. Most major providers (Cloudflare, AWS Route 53, GoDaddy, etc.) support CAA records.

Step 4: Verify

Test your CAA records:

dig CAA example.com

Or use online CAA testing tools.

CAA Record Best Practices

Include notification email:

example.com. CAA 0 iodef "mailto:[email protected]"

This allows CAs to contact you if someone attempts unauthorized issuance.

Use subdomain-specific CAA:

dev.example.com. CAA 0 issue "letsencrypt.org"
prod.example.com. CAA 0 issue "digicert.com"

Regularly review and update: As you change CAs or vendors, update CAA records accordingly.

Test before enforcement: Temporarily set permissive CAA records while testing to ensure they don't block legitimate issuance.

2025 Update: CAA for S/MIME Certificates

As of March 2025, CAs must also check CAA records for S/MIME (email) certificates. If you issue S/MIME certificates, ensure your CAA records account for this:

example.com. CAA 0 issue "digicert.com"
example.com. CAA 0 issuemail "digicert.com"

Step 6: Investigate Potential Security Breach

An unauthorized certificate may indicate a broader security compromise. Conduct a thorough investigation:

Potential Attack Vectors

Compromised Accounts:

• Was an administrator's account compromised?
• Check access logs for your DNS provider
• Review account activity at the issuing CA
• Audit all administrative accounts

Compromised Infrastructure:

• Could an attacker have gained control of your DNS?
• Review DNS change logs
• Check for unauthorized DNS records
• Examine DNS provider security settings

Social Engineering:

• Could an attacker have socially engineered the CA into issuance?
• Review any communications from the CA
• Check for fraudulent identity documents

Insider Threat:

• Could a rogue or departing employee have requested the certificate?
• Review HR records and access logs
• Check for recently departed employees
• Audit certificate requests around employee termination dates

Investigation Steps

Review logs:

• DNS modification logs
• CA account activity logs
• Email communications with CAs
• Administrative access logs

Check for related indicators:

• Other unauthorized certificates
• DNS changes
• Unusual network traffic
• Account login anomalies

Expand the investigation:

• Are other domains affected?
• Were other types of credentials compromised?
• Is there evidence of broader infrastructure compromise?

Document findings:

• Create an incident timeline
• Document all evidence
• Track all unauthorized changes
• Maintain chain of custody for forensic evidence

Step 7: Consider Certificate Pinning

For critical services, consider implementing certificate pinning:

What is Certificate Pinning?

Certificate pinning involves hardcoding or configuring your applications to only trust specific certificates or CAs for your domain. Even if an attacker obtains a valid certificate from a different CA, pinned applications will reject it.

Pinning Options

Pin specific certificates:

• Application only trusts explicit certificate(s)
• Must be updated when certificates are renewed
• Highest security but highest maintenance

Pin Certificate Authorities:

• Application only trusts certificates from specific CA(s)
• Less maintenance than certificate pinning
• Still provides strong protection

Pin public keys:

• Application trusts specific public keys
• Allows certificate renewal without update if key stays the same
• Good balance of security and maintainability

Implementation

Mobile Applications: Most common use case—embed pinning in app code

Web Applications: Use HTTP Public Key Pinning (HPKP) header, though browser support is being deprecated. Modern alternatives include Certificate Transparency enforcement.

API Clients: Configure API clients to validate certificates against pinned values

Risks and Considerations

Broken pinning can break your app: If you pin incorrectly or lose control of your pinned certificates, legitimate users cannot access your service.

Requires maintenance: Pinned certificates must be updated before expiration.

Backup pins: Always include backup pins in case primary certificates are compromised or lost.

Use cautiously: Only for critical services where the added complexity is justified.

Step 8: Establish Ongoing Monitoring

Prevent future incidents with continuous monitoring:

Certificate Transparency Monitoring

Set up automated monitoring of Certificate Transparency logs:

Real-time alerts: Configure alerts when new certificates are issued for your domains

Regular scans: Daily or weekly scans for all certificates containing your domain names

Typosquatting monitoring: Alert on similar domains that might be phishing attempts

Tools and Services

Free Tools:

• crt.sh email alerts
• CertStream for real-time monitoring
• Facebook's CT Monitor

Commercial Services:

• Certificate management platforms with CT monitoring
• Brand protection services
• Security information and event management (SIEM) integration

Alert Configuration

Immediate alerts for:

• Any certificate for your exact domains
• Certificates from unauthorized CAs (post-CAA implementation)
• Wildcard certificates for your domains

Daily digest for:

• Certificates mentioning your brand name
• Potential typosquatting domains
• Certificates from unusual CAs

Weekly reports for:

• All certificate activity summary
• Certificate expiration warnings
• Compliance reporting

Step 9: Update Security Policies and Procedures

Learn from the incident and strengthen your security posture:

Certificate Management Policy

Develop or update a comprehensive certificate management policy:

Centralized management: All certificates must be managed through a central system

Authorization requirements: Define who can request certificates and approval processes

Naming conventions: Standardize subdomain naming and certificate coverage

Lifecycle management: Procedures for provisioning, renewal, and revocation

Access Control

DNS provider security:

• Enable multi-factor authentication
• Restrict who can modify DNS records
• Implement change approval workflows
• Enable audit logging

CA account security:

• Secure all CA accounts with strong passwords and MFA
• Limit number of users with CA access
• Regularly audit CA account activity
• Use role-based access control

Incident Response Plan

Detection procedures: How will you detect unauthorized certificates?

Response procedures: What are the steps when unauthorized certificates are found?

Escalation path: Who needs to be notified and when?

Recovery procedures: How will you recover from certificate-related incidents?

Training and Awareness

Train IT staff on:

• Certificate management best practices
• Importance of CAA records
• Proper authorization procedures
• Incident response protocols

Train general staff on:

• How to verify legitimate certificates in browsers
• How to report suspicious certificates
• Phishing awareness (related to certificate fraud)

Step 10: Legal and Compliance Considerations

Depending on the circumstances, legal action may be appropriate:

When to Involve Legal Counsel

Active phishing or fraud: If the unauthorized certificate is used for criminal activity

Brand impersonation: If someone is falsely claiming to represent your organization

Financial impact: If the unauthorized certificate led to financial losses

Regulatory requirements: If you're in a regulated industry with breach notification requirements

Legal Options

Trademark infringement: If your brand name is used without authorization

Domain disputes: UDRP or legal action for domain takedowns

CA liability: In cases of gross negligence by the CA

Criminal charges: For attackers using certificates for fraud

Regulatory Reporting

Determine if the incident requires reporting:

Data breach laws: Some jurisdictions require breach notification if unauthorized certificates led to data access

Industry regulations: HIPAA, PCI-DSS, SOX, and other frameworks may have reporting requirements

Customer notification: Consider whether customers should be notified, even if not legally required

Prevention is the Best Defense

While this guide focuses on response, the best strategy is prevention:

Before unauthorized certificates appear:

1. Implement CAA records
2. Set up CT log monitoring
3. Centralize certificate management
4. Enforce strong access controls
5. Regularly audit certificate inventory
6. Train staff on proper procedures

Regular review:

• Quarterly certificate audits
• Annual security policy reviews
• Ongoing monitoring and alerting
• Continuous improvement based on lessons learned

Conclusion

Discovering an unauthorized certificate is serious, but with systematic response and proper preventive measures, you can protect your organization and prevent future incidents. The key steps are:

1. Verify it's truly unauthorized
2. Assess the immediate threat
3. Contain if necessary
4. Report to the Certificate Authority
5. Implement CAA records
6. Investigate potential security breach
7. Consider certificate pinning for critical services
8. Monitor continuously
9. Update policies and procedures
10. Engage legal counsel if appropriate

By following this comprehensive response guide and implementing strong preventive measures, you transform a potentially damaging security incident into an opportunity to strengthen your overall security posture.

Stay ahead of unauthorized certificates by monitoring your domains regularly. Use our free Certificate Transparency Lookup tool to discover all certificates issued for your domains and ensure proper authorization.