Domain Detective

API Reference

Class

CertificateAnalysis

Namespace DomainDetective
Assembly DomainDetective
Implements

Represents certificate validation results for an HTTP endpoint.

Inheritance

  • Object
  • CertificateAnalysis

Remarks

Validation includes hostname matching and chain verification using the system trust store.

Usage

This type appears in these public API surfaces even when no hand-authored example is attached directly to the page.

Accepted by parameters

Constructors

Methods

public async Task AnalyzeCertificate(X509Certificate2 certificate, CancellationToken cancellationToken = null) #
Returns: Task

Analyzes a provided certificate without performing any network operations.

Parameters

certificate System.Security.Cryptography.X509Certificates.X509Certificate2 requiredposition: 0
Certificate instance to inspect.
cancellationToken System.Threading.CancellationToken = null optionalposition: 1
Token used to cancel the operation.
public async Task AnalyzeUrl(String url, Int32 port, InternalLogger logger, CancellationToken cancellationToken = null) #
Returns: Task

Retrieves the certificate from the specified HTTPS endpoint.

Parameters

url System.String requiredposition: 0
URL to query.
port System.Int32 requiredposition: 1
Port number to use.
logger DomainDetective.InternalLogger requiredposition: 2
Logger instance for diagnostics.
cancellationToken System.Threading.CancellationToken = null optionalposition: 3
Token used to cancel the operation.
public static async Task<CertificateAnalysis> CheckWebsiteCertificate(String url, Int32 port = 443, CancellationToken cancellationToken = null) #
Returns: Task<CertificateAnalysis>

Standalone version to check the website certificate.

Parameters

url System.String requiredposition: 0
The URL. If no scheme is provided, "https://" will be prepended.
port System.Int32 = 443 optionalposition: 1
The port.
cancellationToken System.Threading.CancellationToken = null optionalposition: 2
Cancellation token to stop the operation.

Returns

The populated CertificateAnalysis instance.

public static async Task<IReadOnlyList<CertificateAnalysis>> CheckWebsiteCertificates(IEnumerable<String> urls, Int32 port = 443, CancellationToken cancellationToken = null) #
Returns: Task<IReadOnlyList<CertificateAnalysis>>

Checks certificates for multiple URLs concurrently.

Parameters

urls System.Collections.Generic.IEnumerable{System.String} requiredposition: 0
The URLs. If no scheme is provided, "https://" will be prepended.
port System.Int32 = 443 optionalposition: 1
The port.
cancellationToken System.Threading.CancellationToken = null optionalposition: 2
Cancellation token to stop the operation.

Returns

List of populated CertificateAnalysis instances.

ParseOcspResponse(System.Byte[] response) #

Parses an OCSP response and returns the revocation status.

Parameters

response System.Byte[] required
OCSP response bytes.

Returns

true if revoked, false if valid, null if inconclusive.

Properties

public String Subject { get; set; } #

Gets or sets the subject value.

public String Url { get; set; } #

Gets or sets the URL that was checked.

public Boolean IsValid { get; set; } #

Gets or sets a value indicating whether the certificate chain is valid.

public Boolean IsReachable { get; set; } #

Gets or sets a value indicating whether the endpoint was reachable.

public String FailureReason { get; set; } #

Gets the best-effort failure reason when the endpoint probe does not complete successfully.

public CertificateFailureKind FailureKind { get; set; } #

Gets the normalized failure kind when the endpoint probe does not complete successfully.

public Boolean HostnameMatch { get; set; } #

Gets whether the certificate matches the requested host.

public Int32 DaysToExpire { get; set; } #

Gets or sets the number of days until expiry.

public Int32 DaysValid { get; set; } #

Gets the total validity period in days.

public Boolean IsExpired { get; set; } #

Gets a value indicating whether the certificate has expired.

public Version ProtocolVersion { get; set; } #

Gets the negotiated HTTP protocol version.

public Boolean Http2Supported { get; set; } #

Gets a value indicating HTTP/2 support.

public Boolean Http3Supported { get; set; } #

Gets a value indicating HTTP/3 support.

public X509Certificate2 Certificate { get; set; } #

Gets the leaf certificate.

public List<X509Certificate2> Chain { get; } #

Gets the certificate chain.

public String ChainSource { get; set; } #

Most recent source used to populate Chain.

public List<String> ChainSourceHistory { get; } #

Ordered unique list of chain acquisition sources observed during analysis.

public List<String> OcspUrls { get; } #

Gets OCSP endpoints from the certificate.

public List<String> CrlUrls { get; } #

Gets CRL endpoints from the certificate.

public Nullable<Boolean> OcspRevoked { get; set; } #

Gets a value indicating whether the certificate is revoked according to OCSP.

public Nullable<Boolean> CrlRevoked { get; set; } #

Gets a value indicating whether the certificate is revoked according to CRL.

public TimeSpan Timeout { get; set; } #

Gets or sets the HTTP request timeout.

public List<String> SubjectAlternativeNames { get; } #

Gets DNS names listed in the certificate subject alternative name extension.

public Dictionary<String, List<String>> WildcardSubdomains { get; } #

Gets wildcard entries with matching subdomains.

public Boolean IsWildcardCertificate { get; set; } #

Gets a value indicating whether the certificate contains wildcard names.

public Boolean SecuresUnrelatedHosts { get; set; } #

Gets a value indicating the certificate secures multiple unrelated hosts.

public Boolean IsSelfSigned { get; set; } #

Gets a value indicating whether the certificate is self-signed.

public String KeyAlgorithm { get; set; } #

Gets the public key algorithm.

public Int32 KeySize { get; set; } #

Gets the key size in bits.

public Boolean WeakKey { get; set; } #

Indicates if the certificate uses a key under 2048 bits.

public Boolean Sha1Signature { get; set; } #

Indicates if the certificate is signed with SHA-1.

public Boolean RsaPssSignature { get; set; } #

Indicates if the certificate uses RSA-PSS for its signature.

public Boolean HasEnhancedKeyUsageExtension { get; set; } #

Indicates if the certificate contains an EKU extension.

public Boolean HasAnyExtendedKeyUsageOid { get; set; } #

Indicates if the certificate contains the Any EKU OID value.

public Boolean HasAnyExtendedKeyUsage { get; set; } #
Obsolete("Use HasAnyExtendedKeyUsageOid.") EditorBrowsable(1)

Represents the has any extended key usage value.

public Boolean AllowsServerAuthentication { get; set; } #

Indicates if the certificate allows server authentication.

public Boolean AllowsClientAuthentication { get; set; } #

Indicates if the certificate allows client authentication.

public Boolean AllowsSecureEmail { get; set; } #

Indicates if the certificate allows secure email usage.

public List<String> ExtendedKeyUsageOids { get; } #

List of EKU OIDs on the certificate.

public List<String> ExtendedKeyUsageFriendlyNames { get; } #

List of EKU friendly names for the certificate.

public String AuthenticationProfile { get; set; } #

Normalized EKU authentication profile for filtering/reporting.

public SslProtocols TlsProtocol { get; set; } #

Gets the negotiated TLS protocol when CaptureTlsDetails is true.

public Boolean Tls13Used { get; set; } #

Indicates if TLS 1.3 was negotiated.

public String CipherAlgorithm { get; set; } #

Gets the negotiated cipher algorithm.

public Int32 CipherStrength { get; set; } #

Gets the cipher strength.

public String CipherSuite { get; set; } #

Gets the negotiated cipher suite name.

public Int32 DhKeyBits { get; set; } #

Gets the Diffie-Hellman key size, if used.

public Boolean CaptureTlsDetails { get; set; } #

Enable gathering TLS protocol and cipher information.

public Boolean CaptureExtendedMetadata { get; set; } #

Enable slower extended HTTPS metadata collection such as revocation, stapling, protocol probes, grade, and CT queries.

public Boolean CaptureCtMetadata { get; set; } #

Enable CT lookup even when the rest of extended HTTPS metadata is disabled.

public Boolean PreferTlsHandshakeOnlyProbe { get; set; } #

Prefer a certificate-only TLS handshake instead of a full HTTP request when the caller only needs certificate evidence.

public Boolean SkipRevocation { get; set; } #

Skip certificate revocation checks.

public Boolean PresentInCtLogs { get; set; } #

Gets a value indicating whether the certificate is present in public CT logs.

public IReadOnlyList<JsonElement> CtLogEntries { get; } #

Collection of CT log entries retrieved for the certificate.

public Func<String, Task<String>> CtLogQueryOverride { get; set; } #

Optional override to retrieve CT log data for testing.

public List<String> CtLogApiTemplates { get; } #

CT log API templates. Each entry should contain a {0} placeholder for the SHA-256 fingerprint.

public Boolean EnableCensysCtSource { get; set; } #

Enables Censys certificate discovery source during CT lookups.

public String CensysApiId { get; set; } #

Censys API identifier used when EnableCensysCtSource is true.

public String CensysApiSecret { get; set; } #

Censys API secret used when EnableCensysCtSource is true.

public String CensysCtApiUrlTemplate { get; set; } #

Censys URL template with {0} placeholder for the SHA-256 fingerprint.

public Boolean EnableShodanCtSource { get; set; } #

Enables Shodan certificate discovery source during CT lookups.

public String ShodanApiKey { get; set; } #

Shodan API key used when EnableShodanCtSource is true.

public String ShodanCtApiUrlTemplate { get; set; } #

Shodan URL template with {0} fingerprint and {1} URL-encoded API key placeholders.

public IReadOnlyList<String> CtDiscoverySources { get; } #

Discovery sources queried for certificate evidence in the latest CT lookup.

public IReadOnlyList<String> CtTemplateFormatErrors { get; } #

Template-format errors captured during the latest CT lookup.

public virtual List<Assessment> Assessments { get; } #

Structured assessments captured during certificate checks.

public GradeLevel GradeLevel { get; set; } #

Coarse web TLS grade.

public Boolean LegacyEnabled { get; set; } #

Indicates legacy TLS protocol negotiated.

public Boolean SupportsTls10 { get; set; } #

Indicates if server supports TLS 1.0 during handshake probe.

public Boolean SupportsTls11 { get; set; } #

Indicates if server supports TLS 1.1 during handshake probe.

public Boolean SupportsTls12 { get; set; } #

Indicates if server supports TLS 1.2 during handshake probe.

public Boolean SupportsTls13 { get; set; } #

Indicates if server supports TLS 1.3 during handshake probe.

public Int32 SctCount { get; set; } #

Count of embedded SCTs in the certificate.

public Boolean OcspMustStaple { get; set; } #

Indicates whether the certificate includes TLS Feature (OCSP Must-Staple).

public Nullable<Boolean> OcspStaplingPresent { get; set; } #

Indicates whether the server stapled an OCSP response during handshake (best-effort, via OpenSSL probe).

{{ include "footer" }}