Domain Detective

API Reference

Class

CertificateInventoryCaptureOptions

Namespace DomainDetective
Assembly DomainDetective
Modifiers sealed

Options controlling certificate inventory capture from domain lists and discovered endpoints.

Inheritance

  • Object
  • CertificateInventoryCaptureOptions

Usage

This type appears in these public API surfaces even when no hand-authored example is attached directly to the page.

Constructors

public CertificateInventoryCaptureOptions() #

Methods

public CertificateInventoryCaptureOptions ApplyCtDiscoveryOnlyProfile() #
Returns: CertificateInventoryCaptureOptions

Configures the capture for CT discovery only. This keeps the run focused on discovering names and CT-backed metadata without widening into HTTPS, MX, or mail probing in the same pass.

public CertificateInventoryCaptureOptions ApplyCtEvidenceRefreshProfile() #
Returns: CertificateInventoryCaptureOptions

Configures the capture for exact-host CT evidence refresh. This keeps the run focused on apex or explicit host probes plus CT metadata hydration, without reopening broader CT discovery or MX/mail expansion. CT metadata hydration stays enabled for exact-host seeds and explicit CT metadata targets via passive metadata fallback rather than discovered-host expansion.

Properties

public String CacheDirectory { get; set; } #

Certificate monitor cache directory (inventory snapshots are saved under the inventory subfolder).

public DnsEndpoint DnsEndpoint { get; set; } #

DNS endpoint used for MX discovery.

public Boolean IncludeApexHttps { get; set; } #

When true, probes apex domains over HTTPS.

public Boolean IncludeWwwHttps { get; set; } #

When true, probes www.<domain> over HTTPS.

public Boolean IncludeCtDiscoveredSubdomains { get; set; } #

When true, discovers CT-observed subdomains and probes them over HTTPS.

public Boolean VerifyCtDiscoveredSubdomains { get; set; } #

When true, CT-discovered subdomains are DNS-verified before inclusion.

public Boolean PromoteCtDiscoveredSubdomainsToHttpsProbes { get; set; } #

When true, CT-discovered subdomains are promoted into HTTPS probe targets for the current capture. Disable this for discovery-only lanes that should persist names now and let a later capture decide which discovered hosts are worth probing.

public Int32 MaxCtRowsPerDomain { get; set; } #

Maximum CT rows processed per domain while discovering CT subdomains (0 means no explicit cap override).

public Int32 MaxCtSubdomainsPerDomain { get; set; } #

Maximum CT-discovered subdomains retained per domain (0 means no explicit cap override).

public List<String> CtDiscoveryDomains { get; } #

Optional domain list used only for CT subdomain discovery and CT metadata hydration. When empty, the full normalized input domain list is used.

public List<String> ExactHostSeedCtMetadataSuppressedHosts { get; } #

Optional hosts that should skip passive CT metadata rescue because the caller already has durable CT-backed evidence for them or recently observed empty-result metadata attempts.

public List<String> CtMetadataTargetHosts { get; } #

Optional normalized hosts that should still perform CT fingerprint lookups even when the broader HTTPS metadata profile is running in lightweight mode.

public List<String> ExactPassiveCtMetadataTargetHosts { get; } #

Optional normalized hosts that should remain eligible for exact passive CT metadata rescue. When empty, the broader CtMetadataTargetHosts list is reused.

public List<String> CtMetadataTargetThumbprints { get; } #

Optional normalized certificate thumbprints that should be preferred when passive CT metadata rescue needs provenance for already-identified certificates rather than the newest certificate currently associated with a host.

public Boolean EnableNativeCtLogSubdomainSource { get; set; } #

When true, uses native RFC6962 CT log polling for subdomain discovery.

public Boolean EnableNativeCtSharedIngestion { get; set; } #

When true (default), reuses one native CT ingestion pass across all domains in a capture run.

public Int32 NativeCtSharedMaxRowsTotal { get; set; } #

Maximum total CT rows processed by one shared native ingestion pass (0 means uncapped).

public Int32 NativeCtSharedMaxSubdomainsTotal { get; set; } #

Maximum total CT-discovered subdomains retained by one shared native ingestion pass (0 means uncapped).

public Boolean NativeCtLogOnly { get; set; } #

When true, uses only native CT log polling for subdomain discovery (skips crt.sh/Cert Spotter).

public Boolean EnablePassiveCtFallback { get; set; } #

When true, passive/public CT APIs (for example crt.sh or Cert Spotter) may be used as fallback for CT subdomain discovery.

public Boolean EnablePassiveCtMetadataFallback { get; set; } #

When true, passive/public CT APIs (for example crt.sh or Cert Spotter) may be used to hydrate or rescue missing CT certificate metadata for both exact-host seeds and CT-discovered subdomains, without enabling passive CT discovery fallback more broadly.

public Boolean EnableCrtShPostgreSqlMetadataFallback { get; set; } #

When true, exact-host CT metadata rescue may query the public crt.sh PostgreSQL replica directly before falling back to passive/public CT web APIs. This is intended for thumbprint- and metadata-rescue lanes that need stronger exact-host CT coverage than the rate-limited web endpoints provide.

public String CrtShPostgreSqlConnectionString { get; set; } #

Optional connection string used for direct crt.sh PostgreSQL metadata rescue. When empty and EnableCrtShPostgreSqlMetadataFallback is enabled, the capture uses the public guest endpoint (`crt.sh:5432/certwatch`) with TLS enabled.

public Int32 CrtShPostgreSqlCommandTimeoutSeconds { get; set; } #

Command timeout in seconds for direct crt.sh PostgreSQL metadata rescue.

public Int32 CrtShPostgreSqlMaximumConcurrentRequests { get; set; } #

Maximum number of concurrent exact-host crt.sh PostgreSQL metadata rescue queries. Keep this conservative for the public guest replica to avoid exhausting shared connection budgets during large capture runs.

public TimeSpan PassiveCtRequestTimeout { get; set; } #

Per-request timeout for passive/public CT HTTP calls.

public Int32 PassiveCtRetryCount { get; set; } #

Maximum retry count for transient passive/public CT HTTP failures.

public TimeSpan PassiveCtRetryBaseDelay { get; set; } #

Base delay between passive/public CT retry attempts.

public TimeSpan PassiveCtRetryMaxDelay { get; set; } #

Maximum delay between passive/public CT retry attempts.

public TimeSpan PassiveCtSourceCooldown { get; set; } #

Cooldown applied to passive/public CT sources after transient failures or rate limits.

public TimeSpan PassiveCtCrtShMinimumSpacing { get; set; } #

Minimum spacing between public crt.sh requests when passive/public CT fallback is active. This helps exact-host rescue and fallback discovery stay within respectful shared-source pacing.

public TimeSpan PassiveCtCertSpotterMinimumSpacing { get; set; } #

Minimum spacing between Cert Spotter requests when passive/public CT fallback is active. This is anti-burst pacing only; the main safety rail is the run-local request budget below.

public Int32 PassiveCtCrtShMaximumRequestsPerRun { get; set; } #

Maximum number of public crt.sh exact-host metadata requests issued during a single passive CT run. Zero means uncapped.

public Int32 PassiveCtCertSpotterMaximumRequestsPerRun { get; set; } #

Maximum number of Cert Spotter exact-host metadata requests issued during a single passive CT run. Zero means uncapped. The default stays conservative for unauthenticated public-plan access.

public Int32 PassiveCtParallelism { get; set; } #

Maximum number of concurrent passive/public CT network queries issued at once. This is intentionally separate from DiscoveryParallelism so DNS/native CT work can remain wide while rate-limited passive CT providers are queried more gently.

public String NativeCtLogListUrl { get; set; } #

Native CT log list URL used to resolve trusted CT logs.

public List<String> NativeCtLogUrls { get; } #

Optional explicit CT log URLs for native subdomain discovery.

public List<String> NativeCtPreferredLogUrlPrefixes { get; } #

Optional native CT log URL prefixes that should be preferred ahead of other eligible logs.

public List<String> NativeCtExcludedLogUrlPrefixes { get; } #

Optional native CT log URL prefixes that should be excluded from discovery.

public Int32 NativeCtMaxLogs { get; set; } #

Maximum CT logs processed per domain during native subdomain discovery (0 means all).

public Int32 NativeCtMaxEntriesPerLog { get; set; } #

Maximum CT entries processed per log during native subdomain discovery (0 means uncapped).

public Int32 NativeCtEntryBatchSize { get; set; } #

Maximum get-entries batch size for native CT polling.

public Int32 NativeCtInitialBackfillEntriesPerLog { get; set; } #

Initial per-log backfill when native CT cursor is missing (0 starts at current tree head).

public String NativeCtCursorStatePath { get; set; } #

Optional native CT cursor state file path. Defaults to inventory/ct-native-cursor.json in CacheDirectory.

public Boolean NativeCtIncludePendingLogs { get; set; } #

When true, includes pending CT logs from log list in native subdomain discovery.

public Boolean NativeCtIncludeRetiredLogs { get; set; } #

When true, includes retired CT logs in native subdomain discovery to recover older certificate history.

public TimeSpan NativeCtRequestDelay { get; set; } #

Optional delay between native CT HTTP requests.

public TimeSpan NativeCtRequestTimeout { get; set; } #

Per-request timeout for native CT HTTP calls.

public Int32 NativeCtRetryCount { get; set; } #

Maximum retry count for transient native CT HTTP failures.

public TimeSpan NativeCtRetryBaseDelay { get; set; } #

Base delay between native CT retry attempts.

public TimeSpan NativeCtRetryMaxDelay { get; set; } #

Maximum delay between native CT retry attempts.

public Int32 NativeCtCircuitBreakerFailureThreshold { get; set; } #

Consecutive native CT failures required before opening circuit breaker for a log.

public TimeSpan NativeCtCircuitBreakerDuration { get; set; } #

Base native CT circuit-breaker duration per log after repeated failures.

public Boolean NativeCtEnableCatchUpMode { get; set; } #

When true, native CT polling automatically expands caps when cursor lag is large.

public Int32 NativeCtCatchUpLagThreshold { get; set; } #

Cursor lag threshold at/above which native CT catch-up mode is activated.

public Int32 NativeCtCatchUpMaxEntriesPerLog { get; set; } #

Maximum CT entries processed per log while native CT catch-up mode is active.

public Int32 NativeCtCatchUpBatchSize { get; set; } #

Maximum get-entries batch size used while native CT catch-up mode is active.

public Boolean BackfillMissingCtCertificateMetadata { get; set; } #

When true, performs CT metadata backfill for CT-discovered subdomains that are missing certificate metadata (subject/issuer/serial/notBefore/notAfter). When EnablePassiveCtMetadataFallback is enabled, passive/public CT APIs may be used for CT metadata hydration even if EnablePassiveCtFallback remains disabled.

public Boolean IncludeMxHosts { get; set; } #

When true, discovers MX hosts from DNS.

public Boolean IncludeMxHttps { get; set; } #

When true, also probes discovered MX hosts over HTTPS.

public Boolean IncludeSmtpStartTls { get; set; } #

When true, probes discovered MX hosts for SMTP STARTTLS on SmtpPort.

public Boolean IncludeSubmissionStartTls { get; set; } #

When true, probes discovered MX hosts for SMTP STARTTLS on SubmissionPort.

public Boolean IncludeImapTls { get; set; } #

When true, probes discovered MX hosts for IMAP TLS on ImapPort.

public Boolean IncludePop3Tls { get; set; } #

When true, probes discovered MX hosts for POP3 TLS on Pop3Port.

public Int32 HttpsPort { get; set; } #

Default HTTPS port for host-only targets.

public Int32 SmtpPort { get; set; } #

SMTP STARTTLS port.

public Int32 SubmissionPort { get; set; } #

SMTP submission STARTTLS port.

public Int32 ImapPort { get; set; } #

IMAP TLS port.

public Int32 Pop3Port { get; set; } #

POP3 TLS port.

public Int32 MaxMxHostsPerDomain { get; set; } #

Maximum MX hosts retained per domain (0 means unlimited).

public Int32 MaxParallelism { get; set; } #

Maximum number of concurrent probe operations.

public Int32 DiscoveryParallelism { get; set; } #

Maximum number of concurrent domain discovery operations.

public TimeSpan MailTimeout { get; set; } #

Timeout applied to mail TLS probes.

public TimeSpan HttpsTimeout { get; set; } #

Timeout applied to HTTPS certificate probes.

public Boolean CaptureExtendedHttpsMetadata { get; set; } #

When true, HTTPS probes also collect extended revocation, protocol, stapling, grade, and CT metadata.

public Boolean PreferTlsHandshakeOnlyProbe { get; set; } #

When true, HTTPS probes may use a certificate-only TLS handshake instead of a full HTTP request. This is intended for high-throughput monitoring lanes that only need certificate evidence.

public Int32 MaxTargets { get; set; } #

Maximum total probe targets (HTTPS + mail) kept after discovery; 0 means unlimited.

public Int32 MaxProbeStartsPerSecond { get; set; } #

Maximum number of probe starts per second; 0 means unlimited.

public Boolean ReuseRecentSnapshotEntries { get; set; } #

When true, reuses recent persisted snapshot endpoint results to avoid re-probing unchanged endpoints.

public TimeSpan RecentSnapshotTtl { get; set; } #

Maximum age of persisted snapshots considered for endpoint reuse.

public Boolean ReuseRecentFailureSnapshotEntries { get; set; } #

When true, reuses recent persisted snapshot entries for stable failure outcomes so hot verification lanes do not immediately re-probe the same dead or timeout-heavy endpoint on every pass.

public TimeSpan RecentFailureSnapshotTtl { get; set; } #

Maximum age of persisted failure snapshots considered for stable-failure reuse.

public Int32 ReprobeExpiringWithinDays { get; set; } #

Do not reuse cached endpoint results when certificate expires within this many days.

public Boolean SkipRevocation { get; set; } #

When true, skips revocation checks for HTTPS certificate analysis.

public CertificateCtEnrichmentProfile CtProfile { get; set; } #

Baseline CT enrichment profile for HTTPS probes.

public Boolean IncludeDefaultCtTemplate { get; set; } #

When true, keeps the default crt.sh API template for certificate-fingerprint CT enrichment. The template is only used when EnablePassiveCtFallback is also enabled.

public List<String> CtApiTemplates { get; } #

Additional CT API templates to query. Templates should include a {0} fingerprint placeholder.

public Boolean EnableCensysCtSource { get; set; } #

When true, enables Censys CT source integration.

public String CensysApiId { get; set; } #

Censys API identifier.

public String CensysApiSecret { get; set; } #

Censys API secret.

public String CensysCtApiUrlTemplate { get; set; } #

Censys CT API URL template. Should contain a {0} fingerprint placeholder.

public Boolean EnableShodanCtSource { get; set; } #

When true, enables Shodan CT source integration.

public String ShodanApiKey { get; set; } #

Shodan API key.

public String ShodanCtApiUrlTemplate { get; set; } #

Shodan CT API URL template. Should contain {0} fingerprint and {1} API key placeholders.

public Boolean PersistSnapshot { get; set; } #

When true, persists a snapshot to inventory storage.

public List<String> AdditionalEndpoints { get; } #

Additional endpoints to probe. Supported forms: - https://host[:port], http://host[:port] - smtp://host[:port], submission://host[:port], imap://host[:port], pop3://host[:port], imaps://host[:port], pop3s://host[:port] - host or host:port (treated as HTTPS).

{{ include "footer" }}