Using a certificate, revoking it, issuing anew

Hello all,

I’m doing some tutoring for students in cryptography and am currently running taking apart the TLS protocol run. As part of that what I’d like do is issue a certificate, revoke it, then issue a new certificate. That way I can show what is looks like when a site offers up a certificate on a RL vs a verifiable cert.

I’d like to use LE as the CA but don’t want to fall foul of any policies. I don’t expect I am as it’s pretty much business as usual but I thought it was worth checking.

Hi @TunnyTraffic,

I don’t think legitimate issuance for educational demonstration purposes is a problem. I do live issuance during talks about Let’s Encrypt to show people how the system works.

Please be aware of the rate limits, which will limit your ability to repeat your demonstration frequently:

https://letsencrypt.org/docs/rate-limits/

Also, if you just want to show people how browsers respond to certificates with problems, you don’t necessarily need to create new certificates. There’s a really excellent site that does a better job for that

https://badssl.com/

It’s deliberately created sub-sites with many different problems in the certificate and HTTPS configuration, so that you can explore and test how browsers will treat each of these cases. For example, https://expired.badssl.com/ has a deliberately expired certificate, while https://revoked.badssl.com/ has a revoked certificate, https://wrong.host.badssl.com/ has a mismatched subject name in the certificate, and so on.

Though, https://revoked.badssl.com/ is on the Google and Mozilla certificate blacklists; a typical revoked certificate will work in browsers that don’t check OCSP. Unless you use stapling, i guess.

@schoen @mnordhoff

Thank you both. I have an example domain I’m using throughout I wanted to be able to demo the process and response with the target domain. Badssl is a great shout but I also want to show CRL propagation so doing it on the fly (within the rate limit) is more beneficial.

Thanks again.

For what it’s worth, Let’s Encrypt doesn’t have CRLs. They only use OCSP to distribute revocation status.

If you just need revocation, that’s fine. If you need a CRL for something… you’ll have to adjust your material, or use a different CA. :sweat:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.