GoKawiilHave you ever needed to make sure your website has a broken certificate? While many tools exist to help run an HTTPS server with valid certificates, there aren’t tools to make sure your certificate is revoked or expired. This is not a problem most people have. Tools to help manage certificates are always focused on avoiding those problems, not creating them.
Let’s Encrypt is a Certificate Authority, and so we have unusual problems we need to solve.
One of the requirements for publicly trusted Certificate Authorities is to host websites with test certificates, some of which need to be revoked or expired. This gets messed up more than you might expect, but it’s a bit tricky to get right. Test certificate sites exist to allow developers to test their clients, so it’s important that they’re done right.
We’d previously used certbot, nginx, and some shell scripts, but the shell scripts were getting a bit too complicated. So we wrote a Go program tailored to the specific needs of a CA’s test certs site.
The websites
We need to host three sites per root certificate:
A valid certificate, like any other website.
certificate, like any other website. An expired certificate, past its expiry date.
certificate, past its expiry date. A revoked certificate, but it can’t be expired.
Valid is easy enough; it’s the normal case of any other website. This is a solved problem.
... continue reading