When developing security documentation or testing browser behavior, finding real-world examples of revoked certificates can be surprisingly difficult. Most organizations quickly replace revoked certificates, leaving few live examples for testing purposes.
Here are several methods I've found effective for tracking down revoked certificates:
// Example: Using OpenSSL to check revocation status
openssl s_client -connect example.com:443 -servername example.com -showcerts < /dev/null | openssl x509 -noout -text | grep -A 1 "X509v3 CRL Distribution Points"
// Then use the CRL URL to check for revoked serials
curl [CRL_URL] | openssl crl -inform DER -noout -textWhile most revoked certificates disappear quickly, these test sites maintain intentionally revoked certificates:
- https://revoked.grc.com (maintained by Gibson Research)
- https://revoked.badssl.com (part of the badssl.com test suite)
For more control, you can set up a local test environment:
# Generate a test certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
# Create CRL
openssl ca -gencrl -keyfile ca.key -cert ca.pem -out ca.crl
# Revoke the certificate
openssl ca -revoke cert.pem -keyfile ca.key -cert ca.pemMajor browsers handle revoked certificates differently:
- Chrome: Shows "NET::ERR_CERT_REVOKED"
- Firefox: Displays "SEC_ERROR_REVOKED_CERTIFICATE"
- Safari: Presents "This certificate has been revoked"
You can automate checking CRLs for newly revoked certificates:
#!/bin/bash
# Simple CRL monitoring script
CRL_URL="http://crl.example.com/revocation.crl"
wget -q -O current.crl $CRL_URL
if ! cmp -s current.crl previous.crl; then
echo "CRL has changed - new revocations detected"
openssl crl -in current.crl -inform DER -noout -text
fi
mv current.crl previous.crlRemember that these techniques should only be used for legitimate testing and educational purposes.
As developers working with SSL/TLS implementations, we often need to test how browsers handle revoked certificates. While self-signed certificates are easy to generate, finding production sites with properly signed but revoked certificates presents unique challenges.
Here are several approaches to locate suitable test cases:
- Certificate Transparency Logs: Search through public CT logs for revoked certificates
# Example using crt.sh to search CT logs SELECT min(certificate_id), min(entry_timestamp), min(not_valid_after), array_agg(DISTINCT name_value) as names FROM certificate_and_identities WHERE plainto_tsquery('example.com') @@ identities(identities) GROUP BY serial_number ORDER BY min(entry_timestamp) DESC LIMIT 10; - CRL/OCSP Responders: Monitor public CRL distribution points
openssl crl -inform DER -text -noout -in example.crl
These test domains are maintained by security researchers:
revoked.grc.com- Maintained by Gibson Research Corporationrevoked.badssl.com- Part of the badssl.com test suiterevoked.ssltest.com- Another dedicated test domain
For comprehensive testing, consider setting up a local test environment:
# Generate test certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
# Revoke the certificate (with OpenSSL CA)
openssl ca -revoke cert.pem -keyfile ca.key -cert ca.crt
# Generate CRL
openssl ca -gencrl -out revoked.crl -keyfile ca.key -cert ca.crtMajor browsers handle revocation differently:
| Browser | CRL Check | OCSP Check |
|---|---|---|
| Chrome | Soft fail | Hard fail (with strict) |
| Firefox | Soft fail | Soft fail |
| Safari | Hard fail | Hard fail |
For CI/CD pipelines, use tools like:
# Using OpenSSL to verify revocation status
openssl s_client -connect example.com:443 -servername example.com -status < /dev/null 2>&1 | grep -A 17 'OCSP response'Remember that revocation checking behavior may change across browser versions and operating systems, so regular testing is recommended.