Quality of CCADB "Test Website - Revoked" field

123 views

Skip to first unread message

Joe Birr-Pixton

unread,

Dec 29, 2025, 7:47:33 AM (2 days ago) Dec 29

to CCADB Public

Hello,

Just thought I'd report some findings about the quality of the "Test Website - Revoked" field values. This is in the context of using this data for testing revocation software. Please let me know if there is a more suitable venue for this, thanks!

Certificate is not actually revoked (probably because it is also expired):

"Microsoft RSA Root Certificate Authority 2017" - https://rvkrsaroot2017.pki.microsoft.com/
"Microsoft ECC Root Certificate Authority 2017" - https://rvkeccroot2017.pki.microsoft.com/

(both of these have a single CRL referenced in their CRLDP extension, and they are valid and fresh but also empty. Most likely because the certs are also expired, see below.)

CRL is outdated:

"AffirmTrust Commercial" - https://revokedcommercial.affirmtrust.com/ (next_update=2025-09-18T06:36:15+00:00)
"AffirmTrust Networking" - https://revokednetworking.affirmtrust.com/ (next_update=2025-09-18T06:36:15+00:00)
"AffirmTrust Premium" - https://revokedpremium.affirmtrust.com/ (next_update=2025-09-18T06:37:15+00:00)
"AffirmTrust Premium ECC" - https://revokedpremiumecc.affirmtrust.com/ (next_update=2025-09-18T06:36:15+00:00)

Not in CT (realize this is not required by BRs, but would be nice if these sites were otherwise accepted by browsers except for being revoked):

"SecureSign Root CA12" - https://ss12-revoked.managedpki.ne.jp
"SecureSign Root CA14" - https://ss14-revoked.managedpki.ne.jp
"SecureSign Root CA15" - https://ss15-revoked.managedpki.ne.jp
"BJCA Global Root CA1" - https://demossl-rsa-revoked.bjca.org.cn
"BJCA Global Root CA2" - https://demossl-ecc-revoked.bjca.org.cn
"Entrust Root Certification Authority - G2" - https://entrustrootcertificationauthorityg2.sectigo.com:444

Fails to handshake with rustls, openssl 3, boringssl and firefox:

"Entrust Root Certification Authority - EC1" - https://entrustrootcertificationauthorityec1.sectigo.com:444

Certificate is expired because server is configured with wrong certificate: replies with certificate for expired4ktlsr2022.affirmtrust.com

"AffirmTrust Commercial" - https://revokedcommercial.affirmtrust.com/

Certificate is expired:

"AffirmTrust Networking" - https://revokednetworking.affirmtrust.com/
"AffirmTrust Premium" - https://revokedpremium.affirmtrust.com/
"AffirmTrust Premium ECC" - https://revokedpremiumecc.affirmtrust.com/
"Microsoft ECC Root Certificate Authority 2017" - https://rvkeccroot2017.pki.microsoft.com/
"Microsoft RSA Root Certificate Authority 2017" - https://rvkrsaroot2017.pki.microsoft.com/

Server is misconfigured and does not include intermediate certificates:

"TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" - https://testsslrevoked.kamusm.gov.tr/
"Actalis Authentication Root CA" - https://ssltest-revoked.actalis.it/

CRL DP server quoted in issuer not working:

"Microsoft ECC Root Certificate Authority 2017" - CRL DP is http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crl but this server returns HTTP 403 with wget UA

Thanks,

Joe

Reply all

Reply to author

Forward

0 new messages