The factory default certificate on your perimeter

A firewall, a VPN concentrator, a load balancer, a WAF: every one of them ships with a self-signed certificate already installed, so the box can serve its administration page the moment it powers on, before you have given it a hostname or a real certificate. That bootstrap certificate is meant to be replaced during setup. When it is not, the appliance sits on the public internet identifying itself with a key that is identical, or drawn from the same small pool, across every unit of that product the vendor ever shipped. That is not a private key anymore. It is a default credential, and it is wearing a TLS certificate so it looks like security. This is CWE-1392 (Use of Default Credentials) meeting CWE-295 (Improper Certificate Validation) at the network edge.

This is one of the most common exposures at the internet perimeter, and one of the least understood, because it hides behind a working padlock. It is not specific to any one vendor. Every appliance category has a bootstrap certificate, and every category produces this exposure when provisioning stops one step early. The pattern is well documented in the public weakness catalogs: a hardcoded or shared cryptographic key that ships in firmware is a textbook default credential, and a host that presents one to the open internet has, in effect, published its identity. This piece is the class behind it, written so you can find the same thing on your own perimeter. Verifiable security.

The class in one paragraph

A network appliance cannot serve its own setup page over plaintext, so the vendor bakes a self-signed certificate and its private key into the firmware image. Every device that runs that firmware version starts life with the same certificate, or one of a small handful, and the same private key material. The intended lifecycle is: power on, reach the setup page over the bootstrap certificate, provision a real certificate scoped to your hostname, and the bootstrap certificate is gone. The failure is simply that last step never happens. The appliance gets cabled into the perimeter, starts passing traffic, and nobody ever swaps the certificate, because everything works. The box is encrypting traffic, the browser padlock appears after you click through the warning, and the device looks provisioned. It is not. It is identifying itself to the entire internet with a key the vendor also shipped to thousands of other customers, which means an attacker who owns the same model owns the same key, and can present a certificate your clients will accept exactly as readily as the appliance's own.

The reason this matters at scale is that the key is not unique to you. Researchers have repeatedly catalogued the same embedded private keys reused across entire product lines and even across different vendors that licensed a common firmware base. Once a single unit of a model is on a researcher's bench, the shared key is extractable, and from that point every internet-facing unit of that model still wearing the factory certificate is using a key that is effectively public.

How to recognize it: the three-part signature

A factory default certificate has a shape that is almost unmistakable once you know it, and all three parts are readable from a single TLS handshake. You do not need credentials, you do not need to log in, and reading the certificate a server presents is a benign, read-only act.

Issuer equals subject. The certificate is self-signed: the entity that issued it is the same entity it claims to identify. Real production certificates are issued by a certificate authority whose name differs from the host. When the issuer field and the subject field are byte-for-byte identical, you are looking at a self-signed certificate, and on an edge appliance that almost always means the bootstrap certificate.
The subject is a serial number or generic model string, and the SAN is empty. Provisioned certificates name the host: vpn.example.com, portal.example.com, with that name in the subject-alternative-name list. A factory certificate names the appliance, often by its hardware serial or a generic product string, and frequently carries no SAN entries at all. An empty SAN on an internet-facing host is a loud signal: nothing here was ever scoped to a real hostname.
The validity window is implausibly long. Modern certificate authorities issue certificates valid for months, not decades, and the ecosystem is moving toward shorter and shorter lifetimes. A factory certificate is minted once at the factory and is meant to last until provisioning, so vendors often set its validity to ten, twenty, or thirty years. A notAfter date in 2050-something is a tell that no real authority was ever involved.

READING THE THREE-PART SIGNATURE OFF THE WIRE $ echo | openssl s_client -connect edge.example.com:443 2>/dev/null \ | openssl x509 -noout -subject -issuer -dates -ext subjectAltName subject= CN = APPLIANCE-SERIAL-0000 <-- generic / serial-named subject issuer= CN = APPLIANCE-SERIAL-0000 <-- issuer == subject (self-signed) notBefore= ... <-- minted at the factory notAfter= 2056 ... <-- multi-decade validity X509v3 Subject Alternative Name: <-- (empty / absent) Three tells, one handshake, zero credentials. Encryption present, identity assurance absent. The key is shared across the product line.

One read-only handshake surfaces all three tells. The certificate the appliance presents tells you it was never provisioned. The values above are illustrative, not from any specific host.

Why this is genuinely dangerous, and why it is also not a CVE

Be precise about the risk, because it is easy to both over- and under-state it. A globally shared private key destroys the authentication half of TLS while leaving the encryption half intact. The channel is still encrypted, so a casual observer cannot read it off the wire. But TLS authentication exists to answer one question, "am I really talking to the server I think I am," and a shared key makes that answer meaningless. An attacker positioned on the network path can present the same default certificate, because they have the same key, and your clients will accept it. Now the attacker terminates the connection, reads everything in cleartext on their side, and forwards it on. The padlock stays green throughout. This is the man-in-the-middle position that proper certificate validation exists to prevent, handed to the attacker for free.

There is a second, quieter signal. An appliance still wearing its factory certificate is an appliance whose provisioning was never completed, and provisioning is where a lot of other hardening lives: default administrative passwords, default service exposure, default management interfaces. The certificate is the visible tip; it is reasonable to suspect the rest of the setup checklist went unfinished too.

A factory default certificate is a default credential that the TLS padlock disguises as security. The encryption is real. The identity it is supposed to prove is shared with everyone who owns the same box.

And to be clear about what this is not: this is a configuration and deployment exposure, not a software vulnerability in the appliance. The vendor shipped a bootstrap certificate exactly as designed, and the appliance is behaving exactly as an un-provisioned appliance should. There is no flaw in the product to assign a CVE to. The defect is that the deployment stopped one step short. We do not claim a CVE here, and you should be skeptical of anyone who does. What this is, is a real, fixable, defensible finding, and one of the most common we see at the network edge.

One unprovisioned step away: the lapse-and-fall-back trap

There is a particularly sharp version of this that catches even teams who did provision correctly. Some appliances, when their real, properly issued certificate lapses, do not fail closed. They fall back to the built-in factory default. So a host that was set up correctly with a real certificate, that certificate later expires, and the appliance reverts to its shared-key self-signed default, silently. A host that had a clean certificate yesterday is presenting a shared default key today, purely because a renewal was missed. The team never touched it; the lapse did the downgrade for them.

This is why certificate expiry monitoring and factory-default detection are the same problem viewed from two angles. A renewal you miss does not just produce an expired-certificate warning; on an appliance that falls back, it silently downgrades you to a shared default key. The way to catch it is to cross-reference what a host presents right now against public certificate-transparency logs: if the logs show a properly issued certificate for the host but the host is serving a self-signed default, you are in the fallback state, and you are in it as of a specific, recent date.

What to do about it

Find and close the factory-default certificate on your edge

Inventory every internet-facing appliance and read its certificate. Firewalls, VPN concentrators, WAFs, load balancers, mail gateways, management interfaces. For each, capture issuer, subject, SAN, and validity from one handshake.
Flag any host where issuer equals subject. Self-signed on the public edge is the headline tell. Pair it with an empty SAN and a multi-decade validity to confirm it is a factory default rather than an intentional internal certificate.
Provision a real, host-scoped certificate and remove the default. Replace the bootstrap certificate with one issued by your authority, scoped to the actual hostname in the SAN. This is the single step the deployment skipped.
Configure the appliance to fail closed, not fall back, on certificate expiry. Where the platform allows it, ensure a lapsed certificate produces an outage you will notice, not a silent downgrade to the factory key.
Monitor certificate expiry against transparency logs continuously. A renewal miss on a fall-back appliance is a security event, not just an availability one. Watch for the host serving a self-signed certificate while a real one exists in the logs.
Treat a factory certificate as a prompt to re-run the whole hardening checklist. If provisioning stopped before the certificate, audit default passwords, exposed management interfaces, and default service exposure on the same device.

How Celvex catches this

Find. Prove. Fix. Verify.

Find

A read-only handshake against every internet-facing host reads issuer, subject, SAN, and validity, flagging the self-signed plus empty-SAN plus multi-decade-validity shape and cross-referencing certificate-transparency logs for the host's real certificate.

Prove

A confirmed factory default becomes an Ed25519-signed Proof Capsule carrying the exact certificate, the three tells, and, where applicable, the transparency-log record of the real certificate it fell back from, reproducible offline.

Fix

The capsule's remediation block names the provisioning step: install a host-scoped certificate from your authority, remove the bootstrap default, and set the appliance to fail closed on expiry.

Verify

A fresh handshake confirms the host now presents a properly issued, correctly named certificate. The finding closes and the verified-fix event is recorded for the audit trail.

The reason this class persists is that it hides behind a working padlock. Everything looks encrypted because everything is encrypted. The only way to see it is to read the certificate itself and ask the question the padlock does not: whose identity is this, really, and is it shared with everyone who bought the same box. One handshake answers it.

Verifiable security. Find it. Prove it. Fix it. Verify the fix held. That is what we ship.

Sources

Is anything on your edge still wearing its factory certificate?

Free Exposure Check, no signup required. We read the certificate off every internet-facing appliance you scope in, flag factory-default and fallen-back certificates, and ship a signed Proof Capsule for the highest-confidence one.

Run a Free Scan →