Improved TLS certificate scans

This weeks update fixed some bugs in certificate scanning en added some extra features. Altogether it’s quite a large change and chances are that you’ll have more items on your problems page than before.

The biggest change is in how certificates name mismatches and missing intermediate certificates are handled. The policy was that if a website could not be loaded in a browser, you have a problem anyway and additional certificate checks were not necessary. This prevented some certificates with problems from showing up in certificates reports. Of course, you’ll want certificate overview to be complete. So, that policy has changed.

If a wildcard certificate was running on a number of urls, and one of those urls got its very own (new) certificate while the (old) wildcard certificate was still valid, ShadowTrackr had trouble detecting this. That bug is fixed now.

Some new fields are added to monitoring: The full subject and issuer fields (instead of just the urls and organisation names), CAA issuers, certificate chains and trustpaths. The first three are also added to the advanced search options.

Lastly, instead of lumping together all urls under “common names”, the are now listed with the original field names (subject, common names, alternative names). This is much more useful when you’re fixing things.