https://github.com/letsencrypt/test-certs-site

A simple server to host the valid, revoked, and expired certificates required by Section 2.2 of the CA/Browser Forum Baseline Requirements.
https://github.com/letsencrypt/test-certs-site

Last synced: 4 months ago
JSON representation

A simple server to host the valid, revoked, and expired certificates required by Section 2.2 of the CA/Browser Forum Baseline Requirements.

• Host: GitHub
• URL: https://github.com/letsencrypt/test-certs-site
• Owner: letsencrypt
• License: mpl-2.0
• Created: 2025-08-01T22:31:44.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2025-09-29T21:47:32.000Z (5 months ago)
• Last Synced: 2025-09-29T23:39:02.859Z (5 months ago)
• Language: Go
• Size: 32.2 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • License: LICENSE
  • Code of conduct: CODE_OF_CONDUCT.md
  • Codeowners: CODEOWNERS

Awesome Lists containing this project

README

          
# test-certs-site

## Introduction 

This is a purpose-built webserver for hosting the test pages required by the 

CA/Browser forum Baseline Requirements. They contain the following requirement:

> The CA SHALL host test Web pages that allow Application Software Suppliers to

> test their software with Subscriber Certificates that chain up to each

> publicly trusted Root Certificate. At a minimum, the CA SHALL host separate

> Web pages using Subscriber Certificates that are valid, revoked, and expired.

 

It uses the ACME protocol to obtain certificates. It serves a simple website

with some information explaining what the test site is for.

From the CA/Browser Forum TLS Baseline Requirements: 

While this was built for Let's Encrypt, it should be usable by other ACME CAs.

## Running test-certs-site

This is a standalone Go program. Once a 1.0 release is available, we will begin

publishing releases.

```shell

go run ./cmd/ -config config/test.json

```

## Avoiding Incidents

This software was inspired by several incidents we observed from other CAs, as

well as the complexity of our existing solution using off-the-shelf tools.

Some categories of incidents we've observed include:

 

* Allowing certificates to expire incorrectly, for the valid and revoked .

* Serving unrevoked certificates on the revoked demonstration sites.

A server with ACME integration is the most reliable way to ensure certificates

are kept up-to-date, but the unusual requirements of serving revoked and expired

certificates is not a typical feature of other systems. Monitoring systems also

don't typically support ensuring that certificates are revoked or expired.

## ACME challenges

Currently, test-certs-site only supports the TLS-ALPN-01 validation method.

To fulfil this challenge, and to serve the test sites, this program listens

on a configurable port, which should be exposed as the TLS port, :443.

Note that in the test configuration listens on :5001 by default, which matches

[Pebble's](https://github.com/letsencrypt/pebble) default validation port. 

## Key and Certificate Storage

Currently, test-certs-site stores all key material as paths on disk.

To ease running cert-test-program in cloud or ephemeral environments, we will

want to support some mechanism for persisting keys to secrets management.

Other than the key and certificate storage, this program is stateless.

## Observability

There is a configurable debug listener which exposes /debug/pprof and /metrics.

Logs are printed in JSON to stderr.