CertAlert Changelog

[4.0.0] - 2026-01-10

Breaking Changes

• Licensing: Upgraded from alpha-codes to signed XML licence files (.lic).
• Config: Modernised configuration from XML to JSON (legacy .xml removed).
• Engine: Re-engineered for true cross-platform support (Win, Linux, macOS).
• Data Schema: CSV headers standardised from UPPER-CASE to snake_case.

Added

• Discovery: Ad-hoc CLI scans and IP range file support.
• Discovery: Support for IPv6 scanning.
• UI: HTML dashboard report and scan progress indicator.
• Security: NOT_YET_VALID status for future-dated certs.
• Security: Detection flags for deprecated Client Auth EKU.
• Crypto: Support for modern Ed25519 and Ed448 keys.
• Reliability: --retry-slow flag for congested networks.
• Automation: DPAPI encryption for Windows passwords.

Data & Reporting

• New Columns: Added 11 new fields for high-fidelity metadata:
• sha256_fingerprint: Unique certificate fingerprints.
• key_type, key_usage, extended_key_usage: Crypto visibility.
• subject_dn, issuer_dn: Full Distinguished Name strings.
• lifetime_days: Total validity period of the certificate.
• chain_result, chain_error_detail: Trust chain forensics.
• Consolidated Issues: New issues column lists all issues found (e.g., EXPIRING, REVOCATION_UNKNOWN).
• Improved Network Errors: Granular codes (e.g., DNS_FAIL, CLOSED)

Changed

• Speed: Significant scanning speed gains via the new engine.
• Security: Enhanced certificate chain validation logic.
• Automation: Email alerts now use HTML tables for readability.

Fixed

• Reliability: Safety limits for large scans to save memory.

---

v3.5.9241.21736 (20 April 2025)

• TLS version added to CSV report
• Update a third party .NET lib
• Update Tests to use C# 12
• Normalise IPv4-mapped address format in reports
• Fix empty Short Key Certificates table in PDF reports
• Enhance section headers in PDF reports
• Implement EULA display and acceptance prompt
• Upgrade BouncyCastle dependency to latest version
• Refactor license validation with improved testability
• Fix IP Ranges handling and add related unit tests

v3.4.9206.37717 (16 March 2025)

• Add licence expiry date to report email
• Added colour-coded output to improve status visibility
• Minor changes to formatting of Report Emails
• Remove legacy config code
• Add additional pdf report tests

v3.3.8900.18690 (14 May 2024)

• Updated BouncyCastle to latest version
• Upgrade to .NET 8
• Remove redundant CertCentre code
• Remove unused class attribute from Server
• Update a badssl.com test because a cert expired

v3.2.8863.15182 (07 April 2024)

• Update Licence
• Tidy some networking code to make more efficient
• Update test for RSA8192 key

v3.1.8608.18905 (27 July 2023)

• Fix some problems with thread handling
• Release as self-contained deployment
• Upgraded version of BouncyCastle to 1.9
• Change naming convention for released zip
• Remove some superfluous .NET files from release
• Update documentation

v3.0 (12 June 2023)

• Migrated from .NET Framework to .NET 6
• Added many more tests
• Fixed some tests
• Display licence expiration date
• Updates for latest version of CsvReader
• Remove unused licence related code

v2.3 (30 March 2020)

• Support new signature alg. used by Microsoft
• Improve testing
• Updated trial licence key

v2.2.6995 (25 Feb 2019)

• Target .NET 4.6.1 for 1.2 support
• Fixed issues related to connection over TLS 1.1/1.2
• Added information to README about configuring TLS versions
• Added further tests using badssl.com website
• Removed support for CertCentre

v2.1.6484 (2 Oct 2017)

• Include any SslPolicyErrors in Error column
• Move to .NET 4.0 to fix a problem with SNI
• Moved to BC from CBB
• Updated tests for SNI as sni.velox.ch not online
• Added tests that use the test website badssl.com

v2.0.6326 (27 April 2017)

• Add list of certs using sha1WithRSAEncryption Sig. Alg. to the PDF report
• Added better handling for falling back to SSL if TLS fails
• Update so call flush after writing to CSV report
• Added self-signed col to CSV report
• Set threads so no greater than number of endpoints
• Added more locking around thread code to prevent same EndPoint being checked twice
• Display to console the number of connections used

v2.0.5333 (8 August 2014)

• Added support for sending to CertCentre through a proxy
• Now use Ports value with serverlist when no port value
• Fix bug where crash if no report cols in config file

v2.0.5244 (11 May 2014)

• Update to allow results to be sent to CertCentre (Beta)
• Updated README for AlertConditions

v1.9.5161 (17 Feb 2014)

• Fixed problem with STARTTLS due to threading
• Improved error message if run when CSV report is in use
• If server terminates during TLS handshake now tries SSL
• Added a column for IP Address
• Reduced the default number of concurrent connections from 256 to 8

v1.9.5135 (22 Jan 2014)

• Added pdf formatted reports that summarise certificate issues

v1.9.5085 (3 Dec 2013)

• CN, Issuer Org, SANS, and SHA1 fingerprint can now be included in the report
• Fixed exception when console output redirected
• If no cert found, write empty field for keysize

v1.9.5078 (27 Nov 2013)

• Built with .NET 2.0 rather than .NET 4.0
• Made report fields/columns configurable
• Tests to demonstrate Server Name Indication (SNI) support
• Removed sqlite code and libraries - no longer needed

v1.8.5016 (25 Sept 2013)

• Fixed problem with Alerts not being sent

v1.8.4898 (30 May 2013)

• Include Verify Column in Results
• Handle exception thrown when .NET encounters EC keys

v1.8.4895 (27 May 2013)

• Include Serial Number in report

v1.8.4856 (18 April 2013)

• Better handling of messages if reverse lookup fails
• Added white-space to config file so easier to read
• Updated README
• Updated some of the information presented on console

v1.8.4676 (20 Oct 2012)

• Removed check requiring .NET 4.0 to be installed

v1.8.4521 (18 May 2012)

• Improved use of threads to speed up scanning
• Removed ping option

v1.8.4481 (8th April 2012)

• Removed CertCentreLite as SQLite causing problems
• Removed pre-scan option so could use .NET 2.0 rather than 4.0

v1.8.4439 (26th Feb 2012)

• Improved error messages
• Added support for SMTP STARTTLS

v1.8.4435 (22nd Feb 2012)

• Make including PEM cert in report configurable

v1.7.3 (9th Feb 2012)

• Renamed from Cert Checker to CertAlert
• Added support for Pre Check
• Now licence determines how many certs can monitor rather than endpoints
• Tidied up some configuration settings
• Report summary changes

v1.7.2.29065 (2nd Oct 2011)

• Added support for port ranges
• Allow multiple database entries per IP
• Changed structure of report emails - now sends the full CSV report
• Reverse lookup support
• Can now configure which ExpiryStates written to the report
• Can now configure if want to overwrite previous report each run

v1.7.2.25292 (Sept 15th 2011)

• Added support for sending email via authenticated SMTP servers

v1.7.1 (July - Sept 2011)

• Moved database initialisation forward before threads created
• Fixed bug where if PingServer was set it could crash
• Now allow multiple IP ranges to be set

v1.7.0 (June 21st 2011)

• Output PEM certificate to CSV file so that it can be imported into Cert Centre

v1.6.1 (April 15th 2011)

• Fixed problem with database lock error
• Allow an alternative serverlist file to be specified
• Allow reports and alerts to be sent to separate email addresses

v1.6.0 (April 4th 2011)

• Improved database support

v1.5 (February 2011)

• Improved scanning support

v1.3.1 (October 21st 2010)

• Added support for a unique identifier field

v1.3 (October 15th 2010)

• Display dates displayed as UTC
• Fixed problem with unhandled exceptions
• Write Issuer and Signature Algorithm field to reports

v1.2 (September 29th 2010)

• Removed trial period ending 30 Sept 2010

v1.1 (June 1st 2010)

• First release version

v0.1 (Beta) (March 31, 2010)

• First public beta