Andrew Ayer
Andrew Ayer
This PR is currently blocked on someone providing an example PKCS#12 file that can be used as a test case.
I can't reproduce that error. Could you provide a test case?
OK. This will require a new API. Regrettably, we added a second function for encoding trust stores only a month ago. To make sure we don't have to keep adding...
> The WebPKI has banned SHA-1 certificates for years now, and crypto/x509 targets a profile compatible with the WebPKI. Although the WebPKI has banned SHA-1 certificates, it has not banned...
> Would you mind making this work with cert-generator.sh so this can with the same testing root cert as the other subdomains? I'll look into that. It may be tricky...
I just amended the PR to: 1. Generate an expired OCSP response for the test CA. (It's a little hackish because I had to generate a temporary fake `index.txt` file,...
@lgarron Hmmm... it's not serving up the stapled OCSP response. Do you see anything in the nginx error log about stapling?
By the way, you can check for OCSP stapling by running: ``` openssl s_client -connect expired-ocsp.badssl.com:443 -servername expired-ocsp.badssl.com -status ``` If stapling is working, you'll see the string "OCSP Response...
@jsha My blog post describes a scenario where a server sends a chain whose last certificate is an expired intermediate. If I'm understanding Let's Encrypt's plans correctly, you'll be using...
@paravoid Good point about not being able to rely on MAILTO functionality. That said, I have some concerns about the `/etc/certspotter/hooks.d` approach. First, `-script` is **not** ready for production use....