Expired Certificate - Githubissues

chromium / badssl.com

:lock: Memorable site for testing clients against bad SSL configs.

https://badssl.com

Apache License 2.0

2.78k stars 186 forks source link

Expired Certificate #477

Open shankerwangmiao opened 2 years ago

shankerwangmiao commented 2 years ago

The following certificates have expired recently:

https://revoked.badssl.com
https://untrusted-root.badssl.com
https://self-signed.badssl.com

And https://no-sct.badssl.com will expire in several days.

christhompson commented 2 years ago

Thanks for the report. untrusted-root and self-signed should be replaced now, but no-sct and revoked are waiting on validation with our CA -- hopefully I can get those updated very soon.

ghost commented 2 years ago

Hello, https://1000-sans.badssl.com expired yesterday as well, can you fix it too?

uplime commented 2 years ago

The following have also expired: https://no-subject.badssl.com/ https://no-common-name.badssl.com/

bratkartoffel commented 2 years ago

Hi, any update on this?

christhompson commented 2 years ago

We've regenerated the revoked.badssl.com cert -- once it has been added to CRLSet I'll push the new cert live to the site.
no-sct should now be updated with a new certificate.

1000/10000-sans unfortunately break most CA provisioning panels, so they require custom issuance and we have not been able to get these reissued yet. Do let me know if these are critical to any particular test suites (we do not use these in any of our manual testing flows) and I can see if we can come up with a more sustainable solution for renewing these yearly.

no-subject and no-common-name are known (tracked in Issue #447)

christhompson commented 2 years ago

The new certificate for revoked.badssl.com is now in Chrome's CRLSet and the server certificate has updated to match.

BenWilson-Mozilla commented 2 years ago

@christhompson I can help maintain some of these certificates, if needed, on behalf of Mozilla. My email address is bwilson@mozilla.com. Please reach out to me over email to discuss how I can help.

AenBleidd commented 2 years ago

@christhompson, These domains still have expired certificates:

Are there any plans to update certificates for them?

billchenchina commented 2 years ago

https://reversed-chain.badssl.com/ also expired.

BenWilson-Mozilla commented 2 years ago

As the CA Program Manager at Mozilla, I have connections with Certification Authorities that issue these kinds of certificates. I'm sure I can get valid certificates from these CAs, as long as they do not violate the current CABF Baseline Requirements.

BenWilson-Mozilla commented 2 years ago

I can get these certificates issued for:

https://1000-sans.badssl.com/
https://no-subject.badssl.com/
https://no-common-name.badssl.com/

Who is maintaining the webserver?

christhompson commented 2 years ago

Thanks for the offer @BenWilson-Mozilla -- I've sent you an email to discuss further.

snim2 commented 2 years ago

BTW I think sha384.badssl.com and sha512.badssl.com expired on Friday.

szh commented 2 years ago

BTW I think sha384.badssl.com and sha512.badssl.com expired on Friday.

That's correct. See #501