Reject certificates that are valid for too long.

net/data/ssl/certificates/README

 This directory contains various certificates for use with SSL-related
 unit tests.
 
 ===== Real-world certificates that need manual updating
 - google.binary.p7b
 - google.chain.pem
 - google.pem_cert.p7b
 - google.pem_pkcs7.p7b
 - google.pkcs7.p7b
 - google.single.der
@@ skipping 51 matching lines @@
 - ct-test-embedded-with-intermediate-preca-chain.pem
 - ct-test-embedded-with-preca-chain.pem
      Test certificate chains for Certificate Transparency: Each of these
      files contains a leaf certificate as the first certificate, which has
      embedded SCTs, followed by the issuer certificates chain.
      All files are from the src/test/testdada directory in
      https://code.google.com/p/certificate-transparency/
 
 - comodo.chain.pem : A certificate chain for www.comodo.com which should be
      recognised as EV. Expires Jun 20 2015.
 

[Ryan Sleevi, 2015/01/22 02:04:40]

twitter chain (& expiration)

[palmer, 2015/01/22 20:05:05]

Done.

 ===== Manually generated certificates
 - client.p12 : A PKCS #12 file containing a client certificate and a private
      key created for testing.  The password is "12345".
 
 - client-nokey.p12 : A PKCS #12 file containing a client certificate (the same
      as the one in client.p12) but no private key. The password is "12345".
 
 - unittest.selfsigned.der : A self-signed certificate generated using private
      key in unittest.key.bin. The common name is "unittest".
 
@@ skipping 39 matching lines @@
 - quic_intermediate.crt
 - quic_test_ecc.example.com.crt
 - quic_test.example.com.crt
 - quic_root.crt
      These certificates are used by the ProofVerifier's unit tests of QUIC.
 
 ===== From net/data/ssl/scripts/generate-test-certs.sh
 - expired_cert.pem
 - ok_cert.pem
 - root_ca_cert.pem
-     These certificates are the common certificates used by the Python test
-     server for simulating HTTPS connections.
+    These certificates are the common certificates used by the Python test
+    server for simulating HTTPS connections.
 
 - name_constraint_bad.pem
 - name_constraint_good.pem
     Two certificates used to test the built-in ability to restrict a root to
     a particular namespace.
 
 - sha256.pem: Used to test the handling of SHA-256 certs on Windows.
 
 - spdy_pooling.pem : Used to test the handling of spdy IP connection pooling
 
 - subjectAltName_sanity_check.pem : Used to test the handling of various types
      within the subjectAltName extension of a certificate.
 
 - punycodetest.pem : A test self-signed server certificate with punycode name.
      The common name is "xn--wgv71a119e.com" (日本語.com)
 
+- 40_months_after_2015_04.pem
+- 61_months_after_2012_07.pem
+- 11_year_validity.pem
+    Certs to test that the maximum validity durations set by the CA/Browser
+    Forum Baseline Requirements are enforced.

[Ryan Sleevi, 2015/01/22 02:04:40]

10_year_validity
11_year_validity
39_months_after_2015_04
60_months_after_2012_07
pre_br_validity_bad_121
pre_br_validity_bad_2020
pre_br_validity_ok
start_after_expirey.pem


- reject_intranet_hosts.pem
   A certificate with a non-IANA delegated domain, which is rejected since a CA
cannot validate the applicant controls that domain.

[palmer, 2015/01/22 20:05:05]

Done.

+
 ===== From net/data/ssl/scripts/generate-weak-test-chains.sh
 - 2048-rsa-root.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
 - {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-ee-by-
       {768-rsa,1024-rsa,2048-rsa,prime256v1-ecdsa}-intermediate.pem
       Test certificates used to ensure that weak keys are detected and rejected
 
 ===== From net/data/ssl/scripts/generate-cross-signed-certs.sh
 - cross-signed-leaf.pem
 - cross-signed-root-md5.pem
@@ skipping 85 matching lines @@
 ===== From net/data/ssl/scripts/generate-aia-certs.sh
 - aia-cert.pem
 - aia-intermediate.der
 - aia-root.pem
      A certificate chain which we use to ensure AIA fetching works correctly
      when using NSS to verify certificates (which uses our HTTP stack).
      aia-cert.pem has a caIssuers that points to "aia-test.invalid" as the URL
      containing the intermediate, which can be served via a URLRequestFilter.
      aia-intermediate.der is stored in DER form for convenience, since that is
      the form expected of certificates discovered via AIA.
-
-