In the observatory, do not add insecure certs to the already_submitted cache
Currently clients only ever submit a cert to the observatory once (unless they clear their history). However if the observatory sent them a warning about the cert, the client should probably continue to resubmit and display the warning until the cert goes offline.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information