Adding preventive revocation alerts to our certificate monitoring
As part of our SSL certificate monitoring, we check a lot of things. The usuals, like if it covers the right domain name or if it hasn't expired are, of course, already included.
But SSL certificates can get quite complex. Sometimes, SSL certificates get revoked by the issuer. When that happens, browsers worldwide stop trusting them and will throw an invalid certificate warning.
What are certificate revocations?
These revocations usually happen on purpose by the owner, wanting to replace a certificate with a new one, to make sure the old one is no longer trusted.
But sometimes, things happen that cause certificates to be revoked without the owner initiating it.
A few months ago, it happened when Let's Encrypt had to revoke a lot of their certificates.
Such events are rare, but appear to be happening more & more. So, we want to be prepared and have made some changes to Oh Dear. 💪
Preventive notifications for SSL certificate revocations
In the case of Let's Encrypt's revocation, they gave users a few days notice that some certificates were going to be revoked.
And just this week, Ryan Sleevi announced a list of over 250 intermediate certificates that violated the certificate rules, which should now be revoked.
While annoying for users worldwide, it is nice to know these revocations before they actually occur.
To help our users, we've added new functionality to Oh Dear that allows us to easily load these announced revocations in our database, and match any of the sites we monitor against them.
Here's what that might look like, as an example:
If we have a match, we can notify our users before the revocation actually occurs. Great, right? 🥳
This means you no longer have to wait for certificate problems to occur - causing problems for your visitors - but you get to fix them before they cause issues.