If a server certificate is published to Github, a la:
-----BEGIN CERTIFICATE-----
is that necessarily a bad thing? Is there ever a legitimate reason to do this?
I ask because of a recent wave of attention Github has gotten since allowing users to search for certain things as .ssh/id.rsa and the like in public repositories.
Also, server certificates are involved in the https protocol, but honestly I'm having trouble determining if they are generally regarded as sensitive information.
Best Answer
I can think of an easy legitimate reason: suppose I write a program to do an offline version of the SSL Labs server test. A good test suite for that program would include various certificates with different problems and some configuration to use them for testing. E.g. it checks for the Debian weak key problem, so you'd want a certificate with a Debian weak key (perhaps for the domain
weakkey.example.com).Of course, test certificates are not the same as real signed certs from a proper CA. (For testing purposes you'd use a testing CA). I would imagine that the major CAs have revoked the certificates whose private keys were available on github.
(Incidentally, if anyone knows of a repository of test certs, feel free to leave a comment...)