API Reference
CertificateAnalysis
Represents certificate validation results for an HTTP endpoint.
Inheritance
- Object
- CertificateAnalysis
Remarks
Validation includes hostname matching and chain verification using the system trust store.
Usage
This type appears in these public API surfaces even when no hand-authored example is attached directly to the page.
Returned or exposed by
- Method CertificateAnalysis.CheckWebsiteCertificate
- Method CertificateAnalysis.CheckWebsiteCertificates
- Property Entry.Analysis
- Property DomainHealthCheck.CertificateAnalysis
- Property CertificateInfo.Raw
Accepted by parameters
- Method CertificateHttpNarrative.Build
- Method Converters.Convert
Constructors
public CertificateAnalysis() #Methods
public async Task AnalyzeCertificate(X509Certificate2 certificate, CancellationToken cancellationToken = null) #TaskAnalyzes a provided certificate without performing any network operations.
Parameters
- certificate System.Security.Cryptography.X509Certificates.X509Certificate2
- Certificate instance to inspect.
- cancellationToken System.Threading.CancellationToken = null
- Token used to cancel the operation.
public async Task AnalyzeUrl(String url, Int32 port, InternalLogger logger, CancellationToken cancellationToken = null) #TaskRetrieves the certificate from the specified HTTPS endpoint.
Parameters
- url System.String
- URL to query.
- port System.Int32
- Port number to use.
- logger DomainDetective.InternalLogger
- Logger instance for diagnostics.
- cancellationToken System.Threading.CancellationToken = null
- Token used to cancel the operation.
public static async Task<CertificateAnalysis> CheckWebsiteCertificate(String url, Int32 port = 443, CancellationToken cancellationToken = null) #Task<CertificateAnalysis>Standalone version to check the website certificate.
Parameters
- url System.String
- The URL. If no scheme is provided, "https://" will be prepended.
- port System.Int32 = 443
- The port.
- cancellationToken System.Threading.CancellationToken = null
- Cancellation token to stop the operation.
Returns
The populated CertificateAnalysis instance.
public static async Task<IReadOnlyList<CertificateAnalysis>> CheckWebsiteCertificates(IEnumerable<String> urls, Int32 port = 443, CancellationToken cancellationToken = null) #Task<IReadOnlyList<CertificateAnalysis>>Checks certificates for multiple URLs concurrently.
Parameters
- urls System.Collections.Generic.IEnumerable{System.String}
- The URLs. If no scheme is provided, "https://" will be prepended.
- port System.Int32 = 443
- The port.
- cancellationToken System.Threading.CancellationToken = null
- Cancellation token to stop the operation.
Returns
List of populated CertificateAnalysis instances.
ParseOcspResponse(System.Byte[] response) #Parses an OCSP response and returns the revocation status.
Parameters
- response System.Byte[]
- OCSP response bytes.
Returns
true if revoked, false if valid, null if inconclusive.
Inherited Methods
public override Boolean Equals(Object obj) #BooleanParameters
- obj Object
Properties
public String Subject { get; set; } #Gets or sets the subject value.
public String Url { get; set; } #Gets or sets the URL that was checked.
public Boolean IsValid { get; set; } #Gets or sets a value indicating whether the certificate chain is valid.
public Boolean IsReachable { get; set; } #Gets or sets a value indicating whether the endpoint was reachable.
public String FailureReason { get; set; } #Gets the best-effort failure reason when the endpoint probe does not complete successfully.
public CertificateFailureKind FailureKind { get; set; } #Gets the normalized failure kind when the endpoint probe does not complete successfully.
public Boolean HostnameMatch { get; set; } #Gets whether the certificate matches the requested host.
public Int32 DaysToExpire { get; set; } #Gets or sets the number of days until expiry.
public Int32 DaysValid { get; set; } #Gets the total validity period in days.
public Boolean IsExpired { get; set; } #Gets a value indicating whether the certificate has expired.
public Version ProtocolVersion { get; set; } #Gets the negotiated HTTP protocol version.
public Boolean Http2Supported { get; set; } #Gets a value indicating HTTP/2 support.
public Boolean Http3Supported { get; set; } #Gets a value indicating HTTP/3 support.
public X509Certificate2 Certificate { get; set; } #Gets the leaf certificate.
public List<X509Certificate2> Chain { get; } #Gets the certificate chain.
public String ChainSource { get; set; } #Most recent source used to populate Chain.
public List<String> ChainSourceHistory { get; } #Ordered unique list of chain acquisition sources observed during analysis.
public List<String> OcspUrls { get; } #Gets OCSP endpoints from the certificate.
public List<String> CrlUrls { get; } #Gets CRL endpoints from the certificate.
public Nullable<Boolean> OcspRevoked { get; set; } #Gets a value indicating whether the certificate is revoked according to OCSP.
public Nullable<Boolean> CrlRevoked { get; set; } #Gets a value indicating whether the certificate is revoked according to CRL.
public TimeSpan Timeout { get; set; } #Gets or sets the HTTP request timeout.
public List<String> SubjectAlternativeNames { get; } #Gets DNS names listed in the certificate subject alternative name extension.
public Dictionary<String, List<String>> WildcardSubdomains { get; } #Gets wildcard entries with matching subdomains.
public Boolean IsWildcardCertificate { get; set; } #Gets a value indicating whether the certificate contains wildcard names.
public Boolean IsSelfSigned { get; set; } #Gets a value indicating whether the certificate is self-signed.
public String KeyAlgorithm { get; set; } #Gets the public key algorithm.
public Int32 KeySize { get; set; } #Gets the key size in bits.
public Boolean WeakKey { get; set; } #Indicates if the certificate uses a key under 2048 bits.
public Boolean Sha1Signature { get; set; } #Indicates if the certificate is signed with SHA-1.
public Boolean RsaPssSignature { get; set; } #Indicates if the certificate uses RSA-PSS for its signature.
public Boolean HasEnhancedKeyUsageExtension { get; set; } #Indicates if the certificate contains an EKU extension.
public Boolean HasAnyExtendedKeyUsageOid { get; set; } #Indicates if the certificate contains the Any EKU OID value.
public Boolean HasAnyExtendedKeyUsage { get; set; } #Obsolete("Use HasAnyExtendedKeyUsageOid.") EditorBrowsable(1)Represents the has any extended key usage value.
public Boolean AllowsServerAuthentication { get; set; } #Indicates if the certificate allows server authentication.
public Boolean AllowsClientAuthentication { get; set; } #Indicates if the certificate allows client authentication.
public Boolean AllowsSecureEmail { get; set; } #Indicates if the certificate allows secure email usage.
public List<String> ExtendedKeyUsageOids { get; } #List of EKU OIDs on the certificate.
public List<String> ExtendedKeyUsageFriendlyNames { get; } #List of EKU friendly names for the certificate.
public String AuthenticationProfile { get; set; } #Normalized EKU authentication profile for filtering/reporting.
public SslProtocols TlsProtocol { get; set; } #Gets the negotiated TLS protocol when CaptureTlsDetails is true.
public Boolean Tls13Used { get; set; } #Indicates if TLS 1.3 was negotiated.
public String CipherAlgorithm { get; set; } #Gets the negotiated cipher algorithm.
public Int32 CipherStrength { get; set; } #Gets the cipher strength.
public String CipherSuite { get; set; } #Gets the negotiated cipher suite name.
public Int32 DhKeyBits { get; set; } #Gets the Diffie-Hellman key size, if used.
public Boolean CaptureTlsDetails { get; set; } #Enable gathering TLS protocol and cipher information.
public Boolean CaptureExtendedMetadata { get; set; } #Enable slower extended HTTPS metadata collection such as revocation, stapling, protocol probes, grade, and CT queries.
public Boolean CaptureCtMetadata { get; set; } #Enable CT lookup even when the rest of extended HTTPS metadata is disabled.
public Boolean PreferTlsHandshakeOnlyProbe { get; set; } #Prefer a certificate-only TLS handshake instead of a full HTTP request when the caller only needs certificate evidence.
public Boolean SkipRevocation { get; set; } #Skip certificate revocation checks.
public Boolean PresentInCtLogs { get; set; } #Gets a value indicating whether the certificate is present in public CT logs.
public IReadOnlyList<JsonElement> CtLogEntries { get; } #Collection of CT log entries retrieved for the certificate.
public Func<String, Task<String>> CtLogQueryOverride { get; set; } #Optional override to retrieve CT log data for testing.
public List<String> CtLogApiTemplates { get; } #CT log API templates. Each entry should contain a {0} placeholder for the SHA-256 fingerprint.
public Boolean EnableCensysCtSource { get; set; } #Enables Censys certificate discovery source during CT lookups.
public String CensysApiId { get; set; } #Censys API identifier used when EnableCensysCtSource is true.
public String CensysApiSecret { get; set; } #Censys API secret used when EnableCensysCtSource is true.
public String CensysCtApiUrlTemplate { get; set; } #Censys URL template with {0} placeholder for the SHA-256 fingerprint.
public Boolean EnableShodanCtSource { get; set; } #Enables Shodan certificate discovery source during CT lookups.
public String ShodanApiKey { get; set; } #Shodan API key used when EnableShodanCtSource is true.
public String ShodanCtApiUrlTemplate { get; set; } #Shodan URL template with {0} fingerprint and {1} URL-encoded API key placeholders.
public IReadOnlyList<String> CtDiscoverySources { get; } #Discovery sources queried for certificate evidence in the latest CT lookup.
public IReadOnlyList<String> CtTemplateFormatErrors { get; } #Template-format errors captured during the latest CT lookup.
public virtual List<Assessment> Assessments { get; } #Structured assessments captured during certificate checks.
public GradeLevel GradeLevel { get; set; } #Coarse web TLS grade.
public Boolean LegacyEnabled { get; set; } #Indicates legacy TLS protocol negotiated.
public Boolean SupportsTls10 { get; set; } #Indicates if server supports TLS 1.0 during handshake probe.
public Boolean SupportsTls11 { get; set; } #Indicates if server supports TLS 1.1 during handshake probe.
public Boolean SupportsTls12 { get; set; } #Indicates if server supports TLS 1.2 during handshake probe.
public Boolean SupportsTls13 { get; set; } #Indicates if server supports TLS 1.3 during handshake probe.
public Int32 SctCount { get; set; } #Count of embedded SCTs in the certificate.
public Boolean OcspMustStaple { get; set; } #Indicates whether the certificate includes TLS Feature (OCSP Must-Staple).
public Nullable<Boolean> OcspStaplingPresent { get; set; } #Indicates whether the server stapled an OCSP response during handshake (best-effort, via OpenSSL probe).