As badssl.com needs a lot of leaf SSL certificates (some of these certificates are even special) , then how about using an intermediate certificate from a trusted root to sign these leaf certificates? (Like "Google Internet Authority G3" or "Microsoft IT TLS CA 4")
In general, an intermediate certificate can sign leaf certificates for any domain. To prevent this intermediate cert being abused, you can require the CA to add X509v3 critical "Name Constriants" extension to the certificate and only allow issuing certificates for badssl.com.
If you have your own intermediate certificate, may be you will be able to issue SHA1 certificates or certificates with invalid SCT. However, I don't know whether the CAB forum will allow this intermediate certificate being used in this way.
As badssl.com needs a lot of leaf SSL certificates (some of these certificates are even special) , then how about using an intermediate certificate from a trusted root to sign these leaf certificates? (Like "Google Internet Authority G3" or "Microsoft IT TLS CA 4")
In general, an intermediate certificate can sign leaf certificates for any domain. To prevent this intermediate cert being abused, you can require the CA to add X509v3 critical "Name Constriants" extension to the certificate and only allow issuing certificates for badssl.com.
If you have your own intermediate certificate, may be you will be able to issue SHA1 certificates or certificates with invalid SCT. However, I don't know whether the CAB forum will allow this intermediate certificate being used in this way.