Expired Certificate

[shankerwangmiao]

The following certificates have expired recently:

• https://revoked.badssl.com
• https://untrusted-root.badssl.com
• https://self-signed.badssl.com

And https://no-sct.badssl.com will expire in several days.

[christhompson]

Thanks for the report. untrusted-root and self-signed should be replaced now, but no-sct and revoked are waiting on validation with our CA -- hopefully I can get those updated very soon.

[ghost]

Hello, https://1000-sans.badssl.com expired yesterday as well, can you fix it too?

[uplime]

The following have also expired:
https://no-subject.badssl.com/
https://no-common-name.badssl.com/

[bratkartoffel]

Hi, any update on this?

[christhompson]

• We've regenerated the revoked.badssl.com cert -- once it has been added to CRLSet I'll push the new cert live to the site.
• no-sct should now be updated with a new certificate.

1000/10000-sans unfortunately break most CA provisioning panels, so they require custom issuance and we have not been able to get these reissued yet. Do let me know if these are critical to any particular test suites (we do not use these in any of our manual testing flows) and I can see if we can come up with a more sustainable solution for renewing these yearly.

no-subject and no-common-name are known (tracked in Issue #447)

[christhompson]

The new certificate for revoked.badssl.com is now in Chrome's CRLSet and the server certificate has updated to match.

[BenWilson-Mozilla]

@christhompson I can help maintain some of these certificates, if needed, on behalf of Mozilla. My email address is [email protected]. Please reach out to me over email to discuss how I can help.

[AenBleidd]

@christhompson,
These domains still have expired certificates:

• https://1000-sans.badssl.com/
• https://no-subject.badssl.com/
• https://no-common-name.badssl.com/

Are there any plans to update certificates for them?

[billchenchina]

https://reversed-chain.badssl.com/ also expired.

[BenWilson-Mozilla]

As the CA Program Manager at Mozilla, I have connections with Certification Authorities that issue these kinds of certificates. I'm sure I can get valid certificates from these CAs, as long as they do not violate the current CABF Baseline Requirements.

[BenWilson-Mozilla]

I can get these certificates issued for:

https://1000-sans.badssl.com/
https://no-subject.badssl.com/
https://no-common-name.badssl.com/

Who is maintaining the webserver?

[christhompson]

Thanks for the offer @BenWilson-Mozilla -- I've sent you an email to discuss further.

[snim2]

BTW I think sha384.badssl.com and sha512.badssl.com expired on Friday.

[szh]

BTW I think sha384.badssl.com and sha512.badssl.com expired on Friday.

That's correct. See #501