One thing they don't cover is name constraints; There's a bunch of ways that they can fail, and some surprising ways they don't - The default is permit all, so if you have a Web CA with name constraints, you should remember to add poison-pill constraints for e-mail addresses as well.
It's of course not super easy for badssl to show such - They'd need an intermediate cert of their own, or close cooperation with a CA, but IRSG should definitely do so.
Badssl is good to see how clients react to a badly configured certificate, which is a different thing from checking whether your certificate or web site are badly configured.
Also had to find another source for revoked test certificates for the homepage examples and found them here: https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls.... The badssl ones are expired too which means they are no longer revoked since revocation only lasts the lifetime of the certificates, which makes sense of course.
Readit News
It's of course not super easy for badssl to show such - They'd need an intermediate cert of their own, or close cooperation with a CA, but IRSG should definitely do so.
Edit: known issue https://github.com/chromium/badssl.com/issues/516
Deleted Comment
Badssl is good to see how clients react to a badly configured certificate, which is a different thing from checking whether your certificate or web site are badly configured.
Also had to find another source for revoked test certificates for the homepage examples and found them here: https://www.ssl.com/sample-valid-revoked-and-expired-ssl-tls.... The badssl ones are expired too which means they are no longer revoked since revocation only lasts the lifetime of the certificates, which makes sense of course.
Its founder, Ivan Ristić, has nice books as well.
Deleted Comment
Deleted Comment
Deleted Comment