Announcing v6.0 of Certify Certificate Manager

Announcements
1

Certify The Web - Certify Certificate Manager v6.0

Our first release candidate for v6.0 is out now and can be downloaded via the beta release link on our homepage: https://certifytheweb.com/

We’re currently running this on our own production servers to see if we can find any remaining issues, thereafter it will shortly become the full release. We will then gradually start to offer it during in-app update checks over the next month or so until we reach full distribution.

This version includes several new features and a wide range of behind the scenes improvements.

New Features:

Certify SSL Manager is now simply called Certify Certificate Manager

As we now support more than just certificates for https/ssl a slight adjustment to naming was required.

New support for STIR/SHAKEN (Secure Telephone Identity) certificates

We have added cutting-edge support for STIR/SHAKEN (Secure Telephone Identity) certificates and added Martini Security (martinisecurity.com) as our first built in CA to support this type of certificate. This uses the new TnAuthList and Authority Token acme extensions.

We have put together a short guide to help users get started: STIR/SHAKEN Certificates | Certify The Web Docs

Automatic Certificate Authority Failover

CA failover/fallback is now enabled for new installs by default. You can toggle this under Settings > Certificate Authorities. To take advantage of this feature, add multiple ACME accounts with different CAs and the app will automatically switch to the next available CA if the current one is unavailable or failing.

For example if you are already using Let’s Encrypt you could add Google or ZeroSSL (or both) as new CA accounts and the app will use these if a certificate experiences multiple consecutive failures, reverting back to your default if future renewals are ok.

Our “intelligent” failover logic will check if we know the chosen CA supports the features required for your certificate before choosing that CA as the failover target.

Data Stores

You can now optionally use MS SQL Server or PostgreSQL as your database instead of the default SQLite provider and you can migrate data between stores, so it’s easy to move database. Data Stores | Certify The Web Docs

While our SQLite database works for most users (database files are stored under \ProgramData\certify) some user have advance requirements, especially those managing several thousand certificates. SQLite is occasionally sensitive to anti-virus and backup software locking files. especially as files get larger, and having the option to use a full database server as your data store alleviates this issue.

Large database support also helps us work towards our planned goal of being able to comfortably manage 1 Million certificates from a single install.

Continuous certificate health checks

The background service will now check the health of each certificate twice per day and if it finds any issues the certificate will be scheduled for renewal as appropriate. We currently check the OCSP revocation status and the acme ARI (renewal info) information.

More built-in Certificate Authorities

While you can configure custom CAs within the app we also continue to add built-in configuration for certificate authorities to make create ACME accounts with these CAs easier. We have added Sectigo (a commercial CA with EV,DV,OV ACME endpoints) and Martini Security (mentioned above) as built-in CAs.

Other Improvements:

  • Core: Now uses Anvil library for ACME support
  • CLI: implement backup import/export options
  • Core/UI: Improved support for managing many thousands of certs
  • Core: Internal ACME CAs can now optionally connect using self-signed TLS
  • Accounts: add support for importing and exporting account details, account key rollover and optional account deactivation on delete.
  • UI: Added turkish language support (thanks to Riza Emet)
  • Tasks: New deployment task to Set Private Key permissions for specific account.
  • Tasks: New task Update Port Binding for general TLS port binding updates.
  • DNS: New Domeneshop and Infomaniak DNS providers via Posh-ACME
  • DNS: New version of Microsoft Azure DNS provider.
  • DNS: New Google Domains provider for DNS based ACME challenges.

Potentially Breaking Changes:

The following items may affect existing functionality and should be reviewed before upgrading if you think you may be affected:

Our default Let’s Encrypt configuration will now default to the ISRG Root X1 chain instead of the default expired DST Root CA X3 chain.
For typical windows services (especially IIS etc) this results in no real change for end users, but if you are exporting your certificate for use with other service it may affect your certificate chain and it may in turn affect compatibility with old systems.

Private Keys now default to ECDSA 256 instead of RSA 2048
This results in smaller keys and certificates and is a commonly supported modern key choice.

Installed root certificate no longer required for a successful PFX build
Previously, if your CAs certificate was not installed on the local machine certificate store the PFX file would fail to build resulting in a failed renewal. We have removed this requirement. We don’t currently anticipate this to have any impact and would be interested in hearing if there are any customer scenarios affected by this.

Exclude root cert from default export for Apache, nginx and Generic Server fullchain option.
Our previous exports for Apache etc could include the root CA certificate, which generally should not be included in certificate chains unless explicitly required.