Those Microsoft roots look like they're not trusted by any of (Apple, Chrome, Microsoft, Mozilla), so you might want to filter out roots which are no longer trusted by anyone.
Same with the AffirmTrust, Entrust, though they don't look fully distrusted from CCADB alone (at least at a quick glance) I'd encourage you to submit a Certificate Problem Report to Actalis. I'm seeing a certificate chain being served by Kamu SM, though it includes the unnecessary self-signed root in the chain - too many entries, not too few. On Mon, Dec 29, 2025 at 7:47 AM Joe Birr-Pixton <[email protected]> wrote: > Hello, > > Just thought I'd report some findings about the quality of the "Test > Website - Revoked" field values. This is in the context of using this data > for testing revocation software. Please let me know if there is a more > suitable venue for this, thanks! > > Certificate is not actually revoked (probably because it is also expired): > > - > > "Microsoft RSA Root Certificate Authority 2017" - > https://rvkrsaroot2017.pki.microsoft.com/ > - > > "Microsoft ECC Root Certificate Authority 2017" - > https://rvkeccroot2017.pki.microsoft.com/ > > (both of these have a single CRL referenced in their CRLDP extension, and > they are valid and fresh but also empty. Most likely because the certs are > also expired, see below.) > > CRL is outdated: > > - > > "AffirmTrust Commercial" - https://revokedcommercial.affirmtrust.com/ > (next_update=2025-09-18T06:36:15+00:00) > - > > "AffirmTrust Networking" - https://revokednetworking.affirmtrust.com/ > (next_update=2025-09-18T06:36:15+00:00) > - > > "AffirmTrust Premium" - https://revokedpremium.affirmtrust.com/ > (next_update=2025-09-18T06:37:15+00:00) > - > > "AffirmTrust Premium ECC" - https://revokedpremiumecc.affirmtrust.com/ > (next_update=2025-09-18T06:36:15+00:00) > > > Not in CT (realize this is not required by BRs, but would be nice if these > sites were otherwise accepted by browsers except for being revoked): > > - > > "SecureSign Root CA12" - https://ss12-revoked.managedpki.ne.jp > - > > "SecureSign Root CA14" - https://ss14-revoked.managedpki.ne.jp > - > > "SecureSign Root CA15" - https://ss15-revoked.managedpki.ne.jp > - > > "BJCA Global Root CA1" - https://demossl-rsa-revoked.bjca.org.cn > - > > "BJCA Global Root CA2" - https://demossl-ecc-revoked.bjca.org.cn > - > > "Entrust Root Certification Authority - G2" - > https://entrustrootcertificationauthorityg2.sectigo.com:444 > > > Fails to handshake with rustls, openssl 3, boringssl and firefox: > > - > > "Entrust Root Certification Authority - EC1" - > https://entrustrootcertificationauthorityec1.sectigo.com:444 > > > Certificate is expired because server is configured with wrong > certificate: replies with certificate for > expired4ktlsr2022.affirmtrust.com > > - > > "AffirmTrust Commercial" - https://revokedcommercial.affirmtrust.com/ > > > Certificate is expired: > > - > > "AffirmTrust Networking" - https://revokednetworking.affirmtrust.com/ > - > > "AffirmTrust Premium" - https://revokedpremium.affirmtrust.com/ > - > > "AffirmTrust Premium ECC" - https://revokedpremiumecc.affirmtrust.com/ > - > > "Microsoft ECC Root Certificate Authority 2017" - > https://rvkeccroot2017.pki.microsoft.com/ > - > > "Microsoft RSA Root Certificate Authority 2017" - > https://rvkrsaroot2017.pki.microsoft.com/ > > > Server is misconfigured and does not include intermediate certificates: > > - > > "TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1" - > https://testsslrevoked.kamusm.gov.tr/ > - > > "Actalis Authentication Root CA" - https://ssltest-revoked.actalis.it/ > > > CRL DP server quoted in issuer not working: > > - > > "Microsoft ECC Root Certificate Authority 2017" - CRL DP is > > http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crl > but this server returns HTTP 403 with wget UA > > > Thanks, > > Joe > > -- > You received this message because you are subscribed to the Google Groups > "CCADB Public" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/ccadb.org/d/msgid/public/bd10d8e5-84c6-49fe-a776-9ef23ed5a4bfn%40ccadb.org > <https://groups.google.com/a/ccadb.org/d/msgid/public/bd10d8e5-84c6-49fe-a776-9ef23ed5a4bfn%40ccadb.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAKh5S0bxQLAWKjs2AdwTvcMCmciB8o7g8jJ%3DpGXsDqsRf%3DQUYw%40mail.gmail.com.
