TLS / HTTPS · Check

Certificate uses a weak RSA key — re-issue with 2048-bit or modern EC

A certificate signed with a 1024-bit RSA key (or weaker) is feasible to break with modern compute and is rejected by most public CAs. Re-issue with at least 2048-bit RSA — or, ideally, an EC curve like P-256 — through your CA or ACME client.

Real-world risk

Short RSA keys are more feasible to break with modern compute; attackers could forge sessions or decrypt historical traffic if recorded.

Fix steps (in order)

Re-issue the certificate with at least 2048-bit RSA or a modern EC curve (P-256 or stronger) from your CA or ACME client.

Topic explainer

TLS versions explained: 1.0, 1.1, 1.2, 1.3 and what to disable →

What's actually different between TLS 1.0, 1.1, 1.2, and 1.3 — cipher suites, forward secrecy, performance — and which versions to disable for compliance and security.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (tls_cert_weak_key) clears once the externally-observable signal is in place.

Run a free scan Methodology