Stay updated with the latest in technology, AI, cybersecurity, and more
NOTE: Depending on your browser this page may not display as revoked. Not all browsers perform revocation checking. Let's Encrypt is a certificate authority. We created this page to demonstrate a revoked certificate that chains to our ISRG Root X1 certificate.
Today we turned off our Online Certificate Status Protocol (OCSP) service, as announced in December of last year. We stopped including OCSP URLs in our certificates more than 90 days ago, so all Let’s Encrypt certificates that contained OCSP URLs have now expired. Going forward, we will publish revocation information exclusively via Certificate Revocation Lists (CRLs). We ended support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a
Wednesday’s discovery of three mis-issued TLS certificates for Cloudflare’s 1.1.1.1 encrypted DNS lookup service generated intense interest and concern among Internet security practitioners. The revelation raised the possibility that an unknown entity had obtained the cryptographic equivalent of a skeleton key that could be used to surreptitiously decrypt millions of users’ DNS queries that were encrypted through DNS over TLS or DNS over HTTPS. From there, the scammers could have read queries or
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry. The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS, a protocol that provides end-to-end encryption when end-user devices seek the IP address of a particular domain they want to acce
Existing TLS/SSL certificates will remain valid and functional until they expire or are revoked. Revocation services, certificate status services (CRL and OCSP), and other necessary support functions will operate as normal for all certificates within their validity period. Notification of the expiry date for existing certificates will be sent as per the standard procedure. More details on how the discontinuation affects certificates ordered in Buypass ID Manager, as well as the discontinuation
Certificates for Onion Services¶ This document tracks existing procedures or proposals for integrating and validating TLS/HTTPS certificates for Onion Services. While some depends on Certificate Authorities (CA) model, others rely on alternative certification and validation procedures that does not require built-in certificate chains in the client software or reliance on financial transactions. Whenever you browse the internet regularly, the connection between your computer and a service is u
I am responsible for approving SSL certificates for my company. I’ve developed a process over the past couple of years that works well. My stakeholders understand their roles and responsibilities and put up a minimal amount of fuss as I review and approve each cert. What started out as a quarterly or semi-monthly task has become a monthly-to-weekly task depending on when our certs are expiring. I appreciate the amount of trust put into certificates and understand that they are a critical compon
Existing TLS/SSL certificates will remain valid and functional until they expire or are revoked. Revocation services, certificate status services (CRL and OCSP), and other necessary support functions will operate as normal for all certificates within their validity period. Notification of the expiry date for existing certificates will be sent as per the standard procedure. More details on how the discontinuation affects certificates ordered in Buypass ID Manager, as well as the discontinuation
Firefox is now the first and the only browser to deploy fast and comprehensive certificate revocation checking that does not reveal your browsing activity to anyone (not even to Mozilla). Tens of millions of TLS server certificates are issued each day to secure communications between browsers and websites. These certificates are the cornerstones of ubiquitous encryption and a key part of our vision for the web. While a certificate can be valid for up to 398 days, it can also be revoked at any p
We are very excited to announce the preview release of ACME support in NGINX. The implementation introduces a new module ngx_http_acme_module that provides built-in directives for requesting, installing, and renewing certificates directly from NGINX configuration. The ACME support leverages our NGINX-Rust SDK and is available as a Rust-based dynamic module for both NGINX Open Source users as well as enterprise NGINX One customers using NGINX Plus. NGINX’s native support for ACME brings a variet
We are very excited to announce the preview release of ACME support in NGINX. The implementation introduces a new module ngx_http_acme_module that provides built-in directives for requesting, installing, and renewing certificates directly from NGINX configuration. The ACME support leverages our NGINX-Rust SDK and is available as a Rust-based dynamic module for both NGINX Open Source users as well as enterprise NGINX One customers using NGINX Plus. NGINX’s native support for ACME brings a variet
A technical investigation into information uncovered in a class action lawsuit that Facebook had intercepted encrypted traffic from user's devices running the Onavo Protect app in order to gain competitive insights. There is a current class action lawsuit against Meta in which court documents note* that the the company may have breached the Wiretap Act. The analysis made in this post is based on content court documents and reverse engineering sections of archived Onavo Protect app packages for
LWN wrote an article which opens with the assertion "Linux users who have Secure Boot enabled on their systems knowingly or unknowingly rely on a key from Microsoft that is set to expire in September". This is, depending on interpretation, either misleading or just plain wrong, but also there's not a good source of truth here, so.First, how does secure boot signing work? Every system that supports UEFI secure boot ships with a set of trusted certificates in a database called "db". Any binary sig
Hear me out. If you are an organization with some spare storage and bandwidth, or an engineer looking to justify an overprovisioned homelab, you should consider running a Certificate Transparency log. It’s cheaper, easier, and more important than you might think. Certificate Transparency (CT) is one of the technologies that underpin the security of the whole web. It keeps Certificate Authorities honest, and allows website owners to be notified of unauthorized certificate issuance. It’s a big pa
KTSDESIGN/Getty Images In 1996, I registered my first website, Vaughan-Nichols & Associates. After setting up the site, one of the first things I did was to secure connections with a Secure Sockets Layer (SSL) certificate. The then-new security network protocol provided an encrypted connection and a digital certificate that authenticates a website's identity. SSL was then, and is now, the minimum security a safe website should provide to its users. The protocol was also a major pain to set up
🔐 CertMate - SSL Certificate Management System 🌟 Why CertMate? CertMate solves the complexity of SSL certificate management in modern distributed architectures. Whether you're running a single application or managing certificates across multiple datacenters, CertMate provides: 🔄 Zero-Downtime Automation - Certificates renew automatically 30 days before expiry - Certificates renew automatically 30 days before expiry 🌐 Multi-Cloud Support - Works with 19 DNS providers (Cloudflare, AWS, Azure,
Let's Encrypt has announced it will no longer notify users about imminent certificate expirations via email due to high costs, privacy concerns, and unnecessary complexities. The decision to end the expiration notification email service was implemented as of June 4, 2025, but Let's Encrypt has now communicated it via a blog post to raise awareness and prevent unexpected disruptions. Let's Encrypt is a nonprofit Certificate Authority (CA) that provides free, automated, and open digital certific
As some of the work planned for Marginalia Search this year has been progressing a bit faster than anticipated, there was time to implement an unplanned change. This post details the implementation of a system for detecting when servers are online, to avoid serving dead links and improve data quality, and for detecting when websites have significant changes including ownership transfers and parking. Table Of Contents Feature Rationale Availability detection is useful not just for filtering o
ConnectWise is warning customers that it is rotating the digital code signing certificates used to sign ScreenConnect, ConnectWise Automate, and ConnectWise RMM executables over security concerns. Digital certificates are used to sign executables so those downloading the files know they come from a trusted source. This ensures that code has not been tampered with before it reaches the end user. According to ConnectWise, the decision was taken after a third-party security researcher raised conc