← Back to Security Blog
Research 9 min read

Self-Signed Certificates — The Hidden Risk in Enterprise VPN Infrastructure

KENSAI research reveals that 41% of enterprise VPN gateways use self-signed or expired certificates. This creates blind spots for MITM attacks and undermines the entire security posture of remote access infrastructure.


The Overlooked Risk

While organizations invest millions in next-generation firewalls and zero-trust architectures, a fundamental security gap persists: 41% of enterprise VPN gateways still use self-signed or expired TLS certificates. KENSAI's scan of 12,000+ VPN endpoints across DACH region enterprises reveals this hidden risk that most security audits overlook.

Key Finding: 41% of VPN Gateways Have Certificate Issues

Self-signed: 28% | Expired: 9% | Weak algorithms (SHA-1): 4% | Total at risk: 41%


Why Self-Signed VPN Certificates Are Dangerous

1. Man-in-the-Middle Attacks

When a VPN client encounters a self-signed certificate, it either rejects the connection (breaking access) or users are trained to accept warnings. This "click through" behavior eliminates the primary defense against MITM attacks — certificate validation.

2. No Revocation Capability

Self-signed certificates cannot be revoked through standard CRL or OCSP mechanisms. If a private key is compromised, there's no way to invalidate the certificate across all clients without manual intervention on every device.

3. Compliance Violations

NIS2 Article 21 requires "appropriate and proportionate technical measures" for network security. Self-signed certificates on critical infrastructure fail this requirement. ISO 27001 control A.10.1 specifically addresses cryptographic controls and certificate management.

4. Supply Chain Risk

When third-party vendors connect to your VPN with self-signed certificates, they create an unverifiable trust chain. An attacker who compromises the vendor can present their own self-signed certificate without detection.


Research Data

Certificate IssuePrevalenceRisk Level
Self-signed (no CA chain)28%Critical
Expired certificates9%High
SHA-1 signatures4%High
Wildcard on VPN endpoints12%Medium
Missing OCSP stapling67%Medium
Proper CA-signed, current59%Low

Remediation Roadmap

  1. Inventory: Catalog all VPN endpoints and their certificate status using KENSAI scans
  2. Deploy PKI: Set up an internal PKI or use a trusted public CA for VPN certificates
  3. Automate renewal: Implement ACME protocol or certificate management tools for automatic renewal
  4. Enforce validation: Configure VPN clients to reject self-signed certificates — no exceptions
  5. Monitor continuously: Set up alerts for certificates expiring within 30 days
  6. Vendor requirements: Mandate CA-signed certificates for all third-party VPN connections

NIS2 Implications

Under NIS2, self-signed certificates on critical VPN infrastructure could constitute a failure to implement appropriate technical measures (Article 21). Organizations found non-compliant face fines up to €10 million. More critically, if a breach occurs through a self-signed certificate vulnerability, the organization may face additional penalties for negligence.

Protect Your Organization with Kensai

AI-powered vulnerability management with 331,910+ CVEs indexed.

Start Free Trial

Stay secure. Stay vigilant.

🗡️ KENSAI Security Team

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →