All certs in the "Known Bad" section are now expired

[fmotrifork]

The following just expired at 2020-05-15:

• https://superfish.badssl.com/
• https://edellroot.badssl.com/
• https://dsdtestprovider.badssl.com/

These expired last year on 2019-09-06:

• https://preact-cli.badssl.com/
• https://webpack-dev-server.badssl.com/

I believe that it is very valuable to have at least a couple of bad roots or self signed certs to test against, that does not fail the tests for being expired. Is it possible to renew these?

[christhompson]

I'll look into regenerating these. In the meantime, https://self-signed.badssl.com and https://untrusted-root.badssl.com cover these cases generally. These specific bad roots are primarily for testing specific blocklisting of these certificates/roots in user agents (e.g., Chrome had special handling for Superfish for a while, although that has since been removed).

[MickaelBergem]

For what it's worth, the intermediate certificate COMODO SSL CA will expire in less than 24h, it is used at least on the https://sha1-intermediate.badssl.com/ domain.

[christhompson]

For what it's worth, the intermediate certificate COMODO SSL CA will expire in less than 24h, it is used at least on the https://sha1-intermediate.badssl.com/ domain.

sha1-intermediate.badssl.com will be moved to the Defunct section with #445 since we can no longer get new certs with SHA-1 signatures (they are banned by the baseline requirements).

(This is separate from the known-bad certs, which use publicly-known keys, and should be able to be regenerated, it's just lower priority as we already cover the general case.)

[djcater]

The last 2 you listed are covered by #413 and #414.