Let's Encrypt faced an unusual challenge: creating websites with intentionally broken SSL certificates. While most tools focus on maintaining valid certificates, the Certificate Authority needed test sites with valid, expired, and revoked certificates for client testing. Existing solutions using certbot, nginx, and shell scripts became too complex, prompting the development of a specialized Go program tailored to their specific needs.

The new program handles three certificate states: valid certificates work normally, expired certificates require waiting until they pass their expiration date, and revoked certificates need to appear in a Certificate Revocation List. Revoked certificates proved particularly tricky to manage, as tools typically avoid serving intentionally revoked certificates. The solution uses Lego library for ACME protocol and implements a custom webserver with specific timing logic to ensure proper state transitions.

The implementation prioritizes serving correct certificates over uptime, refusing connections when certificates shouldn't be expired. The code is open-source at GitHub, allowing other Certificate Authorities to implement similar test environments. ASCII art versions of the site serve text clients, while browsers receive HTML explanations of the certificate status, demonstrating that even "broken" certificates can serve practical purposes in the SSL ecosystem.