To Intercept or Not to Intercept:
Analyzing TLS Interception in Network Appliances

Certificate Validation Tests

    On this page, you can find the certificate validation test files used in our framework, in addition to the general guidelines on crafting the certificates.

    You can download the certificate validation test files here.
    You can find the general guidelines here.
  • Self-signed*
  • Signature Mismatch
  • Fake GeoTrust*
  • Wrong Common Name
  • Unknown Issuer*
  • Non-CA intermediate**
  • x509v1 intermediate**
  • Expired Certificate - Leaf
  • Expired Certificate - Intermediate**
  • Expired Certificate - Root
  • Invalid Path Length Constraint**
  • Bad Name Constraint Intermediate**
  • Unknown Critical X509v3 Extension
  • Malfromed Extension Values
  • Not Yet Valid Certificate - Leaf
  • Not Yet Valid Certificate - Intermediate**
  • Not Yet Valid Certificate - Root
  • Leaf Certificate - keyUsage: KeyCertSign (No Key Encipherment)
  • Root Certificate - keyUsage: non-repudiation (No KeyCertSign)
  • Leaf Certificate - extKeyUsage: clientAuth (Not for TLS server)
  • Root Certificate - extKeyUsage: codeSigning ( Not for TLS)
  • RSA 512-bit Signing key (Root CA)
  • RSA 1024-bit Signing key (Root CA)
  • RSA 512-bit leaf key (Good Root CA)
  • RSA 768-bit leaf key (Good Root CA)
  • RSA 1016-bit leaf key (Good Root CA)
  • RSA 1024-bit leaf key (Good Root CA)
  • MD4 Signature Algorithm
  • MD5 Signature Algorithm
  • SHA1 Signature Algorithm

  • *The root CA certificate for these tests should not be imported to the CA trusted store.
  • **For certificate chains with intermediate certificates, the intermediate certificate(s) must be appended to the server certificate.