The difficulty of making sure your website is broken
Summary
The article explains how to test TLS certificate handling by hosting three certificate states (valid, expired, revoked) and using ACME with Lego in a Go server to manage certificates. It highlights revocation challenges, CRL checks, and browser revocation mechanisms (CRLite), plus practical steps for delaying certificate switchovers to ensure correct behavior. It also references Lets Encrypt’s test roots and emphasizes the importance of robust testing for TLS clients.