Have you ever needed to make sure your website has a broken certificate? While many tools exist to help run an HTTPS server with valid certificates, there aren’t tools to make sure your certificate is revoked or expired. This is not a problem most people have. Tools to help manage certificates are always focused on avoiding those problems, not creating them.
Let’s Encrypt is a Certificate Authority, and so we have unusual problems we need to solve.

Lobsters is a community-driven platform for sharing and discussing links to articles, tutorials, and projects related to technology and programming. Readers can learn about a wide range of topics, from software development and system administration to cybersecurity and artificial intelligence. With user submissions, comments, and voting, Lobsters provides a platform for collaborative learning and knowledge sharing among technology enthusiasts.

Lobsters

Let's Encrypt built a custom Go program to host test certificate websites required for publicly trusted Certificate Authorities. The challenge: maintaining valid, expired, and revoked certificates simultaneously — especially keeping a revoked certificate non-expired. The solution uses the Lego ACME library for certificate issuance and revocation, polls CRLs to confirm revocation status, stores 'next' certificates with staged rollout delays (24h+ for revoked, waiting past expiry for expired), and uses Go's built-in TLS stack with a GetCertificate callback for SNI-based certificate selection. The project is open-source and available for other CAs to use.

The difficulty of making sure your website is broken