API Reference
CertificateInventoryCaptureOptions
Options controlling certificate inventory capture from domain lists and discovered endpoints.
Inheritance
- Object
- CertificateInventoryCaptureOptions
Usage
This type appears in these public API surfaces even when no hand-authored example is attached directly to the page.
Returned or exposed by
Accepted by parameters
- Method CertificateInventoryCapture.CaptureAsync
- Method CtProviderProfiles.CreateCertSpotter
- Method CtProviderProfiles.CreateCrtShHttp
- Method CtProviderProfiles.CreateCrtShPostgreSql
- Method CtProviderProfiles.CreateFromCertificateInventoryOptions
- Method CtProviderProfiles.CreateNativeCtLogs
- Method DomainDetectiveOptionalFeatures.RegisterCtSqlExactMetadataProvider
Constructors
public CertificateInventoryCaptureOptions() #Methods
public CertificateInventoryCaptureOptions ApplyCtDiscoveryOnlyProfile() #CertificateInventoryCaptureOptionsConfigures the capture for CT discovery only. This keeps the run focused on discovering names and CT-backed metadata without widening into HTTPS, MX, or mail probing in the same pass.
public CertificateInventoryCaptureOptions ApplyCtEvidenceRefreshProfile() #CertificateInventoryCaptureOptionsConfigures the capture for exact-host CT evidence refresh. This keeps the run focused on apex or explicit host probes plus CT metadata hydration, without reopening broader CT discovery or MX/mail expansion. CT metadata hydration stays enabled for exact-host seeds and explicit CT metadata targets via passive metadata fallback rather than discovered-host expansion.
Inherited Methods
public override Boolean Equals(Object obj) #BooleanParameters
- obj Object
Properties
public String CacheDirectory { get; set; } #Certificate monitor cache directory (inventory snapshots are saved under the inventory subfolder).
public DnsEndpoint DnsEndpoint { get; set; } #DNS endpoint used for MX discovery.
public Boolean IncludeApexHttps { get; set; } #When true, probes apex domains over HTTPS.
public Boolean IncludeWwwHttps { get; set; } #When true, probes www.<domain> over HTTPS.
public Boolean IncludeCtDiscoveredSubdomains { get; set; } #When true, discovers CT-observed subdomains and probes them over HTTPS.
public Boolean VerifyCtDiscoveredSubdomains { get; set; } #When true, CT-discovered subdomains are DNS-verified before inclusion.
public Boolean PromoteCtDiscoveredSubdomainsToHttpsProbes { get; set; } #When true, CT-discovered subdomains are promoted into HTTPS probe targets for the current capture. Disable this for discovery-only lanes that should persist names now and let a later capture decide which discovered hosts are worth probing.
public Int32 MaxCtRowsPerDomain { get; set; } #Maximum CT rows processed per domain while discovering CT subdomains (0 means no explicit cap override).
public Int32 MaxCtSubdomainsPerDomain { get; set; } #Maximum CT-discovered subdomains retained per domain (0 means no explicit cap override).
public List<String> CtDiscoveryDomains { get; } #Optional domain list used only for CT subdomain discovery and CT metadata hydration. When empty, the full normalized input domain list is used.
public List<String> ExactHostSeedCtMetadataSuppressedHosts { get; } #Optional hosts that should skip passive CT metadata rescue because the caller already has durable CT-backed evidence for them or recently observed empty-result metadata attempts.
public List<String> CtMetadataTargetHosts { get; } #Optional normalized hosts that should still perform CT fingerprint lookups even when the broader HTTPS metadata profile is running in lightweight mode.
public List<String> ExactPassiveCtMetadataTargetHosts { get; } #Optional normalized hosts that should remain eligible for exact passive CT metadata rescue. When empty, the broader CtMetadataTargetHosts list is reused.
public List<String> CtMetadataTargetThumbprints { get; } #Optional normalized certificate thumbprints that should be preferred when passive CT metadata rescue needs provenance for already-identified certificates rather than the newest certificate currently associated with a host.
public Boolean EnableNativeCtLogSubdomainSource { get; set; } #When true, uses native RFC6962 CT log polling for subdomain discovery.
public Boolean NativeCtLogOnly { get; set; } #When true, uses only native CT log polling for subdomain discovery (skips crt.sh/Cert Spotter).
public Boolean EnablePassiveCtFallback { get; set; } #When true, passive/public CT APIs (for example crt.sh or Cert Spotter) may be used as fallback for CT subdomain discovery.
public Boolean EnablePassiveCtMetadataFallback { get; set; } #When true, passive/public CT APIs (for example crt.sh or Cert Spotter) may be used to hydrate or rescue missing CT certificate metadata for both exact-host seeds and CT-discovered subdomains, without enabling passive CT discovery fallback more broadly.
public Boolean EnableCrtShPostgreSqlMetadataFallback { get; set; } #When true, exact-host CT metadata rescue may query the public crt.sh PostgreSQL replica directly before falling back to passive/public CT web APIs. This is intended for thumbprint- and metadata-rescue lanes that need stronger exact-host CT coverage than the rate-limited web endpoints provide.
public String CrtShPostgreSqlConnectionString { get; set; } #Optional connection string used for direct crt.sh PostgreSQL metadata rescue. When empty and EnableCrtShPostgreSqlMetadataFallback is enabled, the capture uses the public guest endpoint (`crt.sh:5432/certwatch`) with TLS enabled.
public Int32 CrtShPostgreSqlCommandTimeoutSeconds { get; set; } #Command timeout in seconds for direct crt.sh PostgreSQL metadata rescue.
public Int32 CrtShPostgreSqlMaximumConcurrentRequests { get; set; } #Maximum number of concurrent exact-host crt.sh PostgreSQL metadata rescue queries. Keep this conservative for the public guest replica to avoid exhausting shared connection budgets during large capture runs.
public TimeSpan PassiveCtRequestTimeout { get; set; } #Per-request timeout for passive/public CT HTTP calls.
public Int32 PassiveCtRetryCount { get; set; } #Maximum retry count for transient passive/public CT HTTP failures.
public TimeSpan PassiveCtRetryBaseDelay { get; set; } #Base delay between passive/public CT retry attempts.
public TimeSpan PassiveCtRetryMaxDelay { get; set; } #Maximum delay between passive/public CT retry attempts.
public TimeSpan PassiveCtSourceCooldown { get; set; } #Cooldown applied to passive/public CT sources after transient failures or rate limits.
public TimeSpan PassiveCtCrtShMinimumSpacing { get; set; } #Minimum spacing between public crt.sh requests when passive/public CT fallback is active. This helps exact-host rescue and fallback discovery stay within respectful shared-source pacing.
public TimeSpan PassiveCtCertSpotterMinimumSpacing { get; set; } #Minimum spacing between Cert Spotter requests when passive/public CT fallback is active. This is anti-burst pacing only; the main safety rail is the run-local request budget below.
public Int32 PassiveCtCrtShMaximumRequestsPerRun { get; set; } #Maximum number of public crt.sh exact-host metadata requests issued during a single passive CT run. Zero means uncapped.
public Int32 PassiveCtCertSpotterMaximumRequestsPerRun { get; set; } #Maximum number of Cert Spotter exact-host metadata requests issued during a single passive CT run. Zero means uncapped. The default stays conservative for unauthenticated public-plan access.
public Int32 PassiveCtParallelism { get; set; } #Maximum number of concurrent passive/public CT network queries issued at once. This is intentionally separate from DiscoveryParallelism so DNS/native CT work can remain wide while rate-limited passive CT providers are queried more gently.
public String NativeCtLogListUrl { get; set; } #Native CT log list URL used to resolve trusted CT logs.
public List<String> NativeCtLogUrls { get; } #Optional explicit CT log URLs for native subdomain discovery.
public List<String> NativeCtPreferredLogUrlPrefixes { get; } #Optional native CT log URL prefixes that should be preferred ahead of other eligible logs.
public List<String> NativeCtExcludedLogUrlPrefixes { get; } #Optional native CT log URL prefixes that should be excluded from discovery.
public Int32 NativeCtMaxLogs { get; set; } #Maximum CT logs processed per domain during native subdomain discovery (0 means all).
public Int32 NativeCtMaxEntriesPerLog { get; set; } #Maximum CT entries processed per log during native subdomain discovery (0 means uncapped).
public Int32 NativeCtEntryBatchSize { get; set; } #Maximum get-entries batch size for native CT polling.
public Int32 NativeCtInitialBackfillEntriesPerLog { get; set; } #Initial per-log backfill when native CT cursor is missing (0 starts at current tree head).
public String NativeCtCursorStatePath { get; set; } #Optional native CT cursor state file path. Defaults to inventory/ct-native-cursor.json in CacheDirectory.
public Boolean NativeCtIncludePendingLogs { get; set; } #When true, includes pending CT logs from log list in native subdomain discovery.
public Boolean NativeCtIncludeRetiredLogs { get; set; } #When true, includes retired CT logs in native subdomain discovery to recover older certificate history.
public TimeSpan NativeCtRequestDelay { get; set; } #Optional delay between native CT HTTP requests.
public TimeSpan NativeCtRequestTimeout { get; set; } #Per-request timeout for native CT HTTP calls.
public Int32 NativeCtRetryCount { get; set; } #Maximum retry count for transient native CT HTTP failures.
public TimeSpan NativeCtRetryBaseDelay { get; set; } #Base delay between native CT retry attempts.
public TimeSpan NativeCtRetryMaxDelay { get; set; } #Maximum delay between native CT retry attempts.
public Int32 NativeCtCircuitBreakerFailureThreshold { get; set; } #Consecutive native CT failures required before opening circuit breaker for a log.
public TimeSpan NativeCtCircuitBreakerDuration { get; set; } #Base native CT circuit-breaker duration per log after repeated failures.
public Boolean NativeCtEnableCatchUpMode { get; set; } #When true, native CT polling automatically expands caps when cursor lag is large.
public Int32 NativeCtCatchUpLagThreshold { get; set; } #Cursor lag threshold at/above which native CT catch-up mode is activated.
public Int32 NativeCtCatchUpMaxEntriesPerLog { get; set; } #Maximum CT entries processed per log while native CT catch-up mode is active.
public Int32 NativeCtCatchUpBatchSize { get; set; } #Maximum get-entries batch size used while native CT catch-up mode is active.
public Boolean BackfillMissingCtCertificateMetadata { get; set; } #When true, performs CT metadata backfill for CT-discovered subdomains that are missing certificate metadata (subject/issuer/serial/notBefore/notAfter). When EnablePassiveCtMetadataFallback is enabled, passive/public CT APIs may be used for CT metadata hydration even if EnablePassiveCtFallback remains disabled.
public Boolean IncludeMxHosts { get; set; } #When true, discovers MX hosts from DNS.
public Boolean IncludeMxHttps { get; set; } #When true, also probes discovered MX hosts over HTTPS.
public Boolean IncludeSmtpStartTls { get; set; } #When true, probes discovered MX hosts for SMTP STARTTLS on SmtpPort.
public Boolean IncludeSubmissionStartTls { get; set; } #When true, probes discovered MX hosts for SMTP STARTTLS on SubmissionPort.
public Boolean IncludeImapTls { get; set; } #When true, probes discovered MX hosts for IMAP TLS on ImapPort.
public Boolean IncludePop3Tls { get; set; } #When true, probes discovered MX hosts for POP3 TLS on Pop3Port.
public Int32 HttpsPort { get; set; } #Default HTTPS port for host-only targets.
public Int32 SmtpPort { get; set; } #SMTP STARTTLS port.
public Int32 SubmissionPort { get; set; } #SMTP submission STARTTLS port.
public Int32 ImapPort { get; set; } #IMAP TLS port.
public Int32 Pop3Port { get; set; } #POP3 TLS port.
public Int32 MaxMxHostsPerDomain { get; set; } #Maximum MX hosts retained per domain (0 means unlimited).
public Int32 MaxParallelism { get; set; } #Maximum number of concurrent probe operations.
public Int32 DiscoveryParallelism { get; set; } #Maximum number of concurrent domain discovery operations.
public TimeSpan MailTimeout { get; set; } #Timeout applied to mail TLS probes.
public TimeSpan HttpsTimeout { get; set; } #Timeout applied to HTTPS certificate probes.
public Boolean CaptureExtendedHttpsMetadata { get; set; } #When true, HTTPS probes also collect extended revocation, protocol, stapling, grade, and CT metadata.
public Boolean PreferTlsHandshakeOnlyProbe { get; set; } #When true, HTTPS probes may use a certificate-only TLS handshake instead of a full HTTP request. This is intended for high-throughput monitoring lanes that only need certificate evidence.
public Int32 MaxTargets { get; set; } #Maximum total probe targets (HTTPS + mail) kept after discovery; 0 means unlimited.
public Int32 MaxProbeStartsPerSecond { get; set; } #Maximum number of probe starts per second; 0 means unlimited.
public Boolean ReuseRecentSnapshotEntries { get; set; } #When true, reuses recent persisted snapshot endpoint results to avoid re-probing unchanged endpoints.
public TimeSpan RecentSnapshotTtl { get; set; } #Maximum age of persisted snapshots considered for endpoint reuse.
public Boolean ReuseRecentFailureSnapshotEntries { get; set; } #When true, reuses recent persisted snapshot entries for stable failure outcomes so hot verification lanes do not immediately re-probe the same dead or timeout-heavy endpoint on every pass.
public TimeSpan RecentFailureSnapshotTtl { get; set; } #Maximum age of persisted failure snapshots considered for stable-failure reuse.
public Int32 ReprobeExpiringWithinDays { get; set; } #Do not reuse cached endpoint results when certificate expires within this many days.
public Boolean SkipRevocation { get; set; } #When true, skips revocation checks for HTTPS certificate analysis.
public CertificateCtEnrichmentProfile CtProfile { get; set; } #Baseline CT enrichment profile for HTTPS probes.
public Boolean IncludeDefaultCtTemplate { get; set; } #When true, keeps the default crt.sh API template for certificate-fingerprint CT enrichment. The template is only used when EnablePassiveCtFallback is also enabled.
public List<String> CtApiTemplates { get; } #Additional CT API templates to query. Templates should include a {0} fingerprint placeholder.
public Boolean EnableCensysCtSource { get; set; } #When true, enables Censys CT source integration.
public String CensysApiId { get; set; } #Censys API identifier.
public String CensysApiSecret { get; set; } #Censys API secret.
public String CensysCtApiUrlTemplate { get; set; } #Censys CT API URL template. Should contain a {0} fingerprint placeholder.
public Boolean EnableShodanCtSource { get; set; } #When true, enables Shodan CT source integration.
public String ShodanApiKey { get; set; } #Shodan API key.
public String ShodanCtApiUrlTemplate { get; set; } #Shodan CT API URL template. Should contain {0} fingerprint and {1} API key placeholders.
public Boolean PersistSnapshot { get; set; } #When true, persists a snapshot to inventory storage.
public List<String> AdditionalEndpoints { get; } #Additional endpoints to probe. Supported forms: - https://host[:port], http://host[:port] - smtp://host[:port], submission://host[:port], imap://host[:port], pop3://host[:port], imaps://host[:port], pop3s://host[:port] - host or host:port (treated as HTTPS).