badssl.com icon indicating copy to clipboard operation
badssl.com copied to clipboard

Published 20 hours ago verified publisher icon chromium

Add revoked intermediate subdomain

Open rugk opened this issue 9 years ago • 4 comments

See https://revoked-intermediate.serverhello.com/ for an example.

rugk avatar Jan 02 '16 12:01 rugk

Hmm, revoked certs are tricky, and intermediates doubly so. How did https://revoked-intermediate.serverhello.com/ get a cert revoked intermediate, and what's the story behind the revocation?

Also, revocation on its own usually doesn't trigger a failure (with notable exceptions, e.g. EV in Chrome and must-staple), although I at least want to get revoked.badssl.com (#30) into Chrome's CRLSet at some point.

lgarron avatar Jan 03 '16 02:01 lgarron

Ask @selecadm.

https://twitter.com/selecadm/status/682656650839371777

rugk avatar Jan 03 '16 18:01 rugk

This cert was issued after intermediate revocation but before SHA1 was disallowed.

Now all I can come up with is pinging @robstradling, whether it's possible to issue SHA2 from SHA1 discounted intermediate, or create and then revoke new intermediate. The second option would be much better, considering it would be the first intermediate in chain. My setup makes use of cross-signing.

selecadm avatar Jan 03 '16 19:01 selecadm

+1

gdubicki avatar Mar 21 '16 14:03 gdubicki