Quality of CCADB "Test Website - Revoked" field

[Joe Birr-Pixton]

Hello,

Just thought I'd report some findings about the quality of the "Test Website - Revoked" field values. This is in the context of using this data for testing revocation software. Please let me know if there is a more suitable venue for this, thanks!

Certificate is not actually revoked (probably because it is also expired):

• "Microsoft RSA Root Certificate Authority 2017" - https://rvkrsaroot2017.pki.microsoft.com/ 

• "Microsoft ECC Root Certificate Authority 2017" - https://rvkeccroot2017.pki.microsoft.com/ 

(both of these have a single CRL referenced in their CRLDP extension, and they are valid and fresh but also empty. Most likely because the certs are also expired, see below.)

CRL is outdated:

• "AffirmTrust Commercial" - https://revokedcommercial.affirmtrust.com/ (next_update=2025-09-18T06:36:15+00:00)

• "AffirmTrust Networking" - https://revokednetworking.affirmtrust.com/ (next_update=2025-09-18T06:36:15+00:00)

• "AffirmTrust Premium" - https://revokedpremium.affirmtrust.com/ (next_update=2025-09-18T06:37:15+00:00)

• "AffirmTrust Premium ECC" - https://revokedpremiumecc.affirmtrust.com/ (next_update=2025-09-18T06:36:15+00:00)

Not in CT (realize this is not required by BRs, but would be nice if these sites were otherwise accepted by browsers except for being revoked):

• "SecureSign Root CA12" - https://ss12-revoked.managedpki.ne.jp 

• "SecureSign Root CA14" - https://ss14-revoked.managedpki.ne.jp

• "SecureSign Root CA15" - https://ss15-revoked.managedpki.ne.jp 

• "BJCA Global Root CA1" - https://demossl-rsa-revoked.bjca.org.cn 

• "BJCA Global Root CA2" - https://demossl-ecc-revoked.bjca.org.cn 

• "Entrust Root Certification Authority - G2" - https://entrustrootcertificationauthorityg2.sectigo.com:444 

Fails to handshake with rustls, openssl 3, boringssl and firefox:

• "Entrust Root Certification Authority - EC1" - https://entrustrootcertificationauthorityec1.sectigo.com:444 

Certificate is expired because server is configured with wrong certificate: replies with certificate for expired4ktlsr2022.affirmtrust.com

• "AffirmTrust Commercial" - https://revokedcommercial.affirmtrust.com/

Certificate is expired:

• "AffirmTrust Networking" - https://revokednetworking.affirmtrust.com/ 

• "AffirmTrust Premium" - https://revokedpremium.affirmtrust.com/ 

• "AffirmTrust Premium ECC" - https://revokedpremiumecc.affirmtrust.com/ 

• "Microsoft ECC Root Certificate Authority 2017" - https://rvkeccroot2017.pki.microsoft.com/ 

• "Microsoft RSA Root Certificate Authority 2017" - https://rvkrsaroot2017.pki.microsoft.com/ 

Server is misconfigured and does not include intermediate certificates:

• "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" - https://testsslrevoked.kamusm.gov.tr/ 

• "Actalis Authentication Root CA" - https://ssltest-revoked.actalis.it/ 

CRL DP server quoted in issuer not working:

• "Microsoft ECC Root Certificate Authority 2017" - CRL DP is http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crl but this server returns HTTP 403 with wget UA

Thanks,

Joe

[Matthew McPherrin]

Those Microsoft roots look like they're not trusted by any of (Apple, Chrome, Microsoft, Mozilla), so you might want to filter out roots which are no longer trusted by anyone.

Same with the AffirmTrust, Entrust, though they don't look fully distrusted from CCADB alone (at least at a quick glance)

I'd encourage you to submit a Certificate Problem Report to Actalis.

I'm seeing a certificate chain being served by Kamu SM, though it includes the unnecessary self-signed root in the chain - too many entries, not too few.

--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/bd10d8e5-84c6-49fe-a776-9ef23ed5a4bfn%40ccadb.org.