{"version":{"major":6,"minor":1,"patch":11},"message":{"body":"There is a new version (6.1.11) available.","downloadPageURL":"https://certifytheweb.com","releaseNotesURL":"https://certifytheweb.com/home/changelog?mode=release&product=ccm","downloadFileURL":"https://downloads.certifytheweb.com/CertifyTheWebSetup_V6.1.11.exe","sha256":"828358093fb3c5925e616cc8ed98e3cc59c776af5c2aa3809783e3961a8237db","isMandatory":false,"mandatoryBelowVersion":null,"releaseNotes":[{"version":"6.1.11","releasedate":"2025/10/21","body":"- Fixes:\r\n - SSH: Fix \"Could not load type..\" error related to BouncyCastle.Cryptography library reference.\r\n - Core: Additional clean-up of X509Certificate2 after use to avoid temp RSA keys remaining on disk.\r\n \n"},{"version":"6.1.10","releasedate":"2025/10/17","body":"- Enhancements:\r\n - UI: View Certificate option now allows unlock of password protected PFX\r\n - Misc: Package dependency updates\r\n- Fixes:\r\n - DNS: Fix incorrect parameter for NameSilo provider\r\n - Core: Clean-up X509Certificate2 after use to avoid temp RSA keys remaining on disk.\r\n - CA: Deprecate BuyPass GO in the UI as they no longer offer an ACME service. \n"},{"version":"6.1.8","releasedate":"2025/07/28","body":"- Fixes:\r\n - Renewals: address possible hang during long running renewal batches which then prevents subsequent renewal batches from running.\r\n\r\n \n"},{"version":"6.1.7","releasedate":"2025/06/25","body":"- Fixes:\r\n - UI: Fix status update UI streaming\r\n - Tasks: Reverted SSH updates which caused dependency version problems and affected UI status streaming.\r\n\r\n \n"},{"version":"6.1.5","releasedate":"2025/04/02","body":"* Fixes:\r\n - Tasks: *Deploy to Generic Server*, *Apache*, *nginx*, *Tomcat* and *Export Certificate* - fix task validation check when exporting using windows network UNC path. \n"},{"version":"6.1.4","releasedate":"2025/03/18","body":"- Enhancements:\r\n - DNS: WEDOS DNS provider via Posh-ACME.\r\n- Fixes:\r\n - Tasks: *Deploy to Generic Server*, *Apache*, *nginx*, *Tomcat* and *Export Certificate* - fix issue with non-user accessible path setting causing issues with some exported components (e.g. full chain).\r\n - ACME: Remove log warning if acme profile not selected, add `DisableARIChecks` setting for users who require a specific renewal interval. \n"},{"version":"6.1.3","releasedate":"2025/03/04","body":"- Enhancements:\r\n - Core & UI: Implement support for ACME named profiles (under *Certificate > Advanced > Certificate Authority*)\r\n - DNS: Implement Porkbun and INWX DNS providers via Posh-ACME.\r\n- Fixes:\r\n - DNS: Infoblox allow skipping of validation for self-signed server certs.\r\n - DNS: Cloudflare use quoted TXT values\r\n - ACME: skip re-use of existing order ID if previous attempt has failed (order expired by CA), skip ARI replaces when order has already failed. \n"},{"version":"6.1.2","releasedate":"2024/10/31","body":"\r\n- Enhancements:\r\n - DNS: Improve duplicate record handling with AWS Route 53\r\n - DNS: Add support for PAT tokens in Gandi provider (via Posh-ACME)\r\n- Fixes:\r\n - Tasks: Report file copy failures for CCS task\r\n - API: Enable TLS 1.3 communication with CA API etc when possible.\r\n \n"},{"version":"6.1.1","releasedate":"2024/10/16","body":"- Enhancements:\r\n - Tasks: Add new task trigger type to run a task if any preceding task has failed (e.g. if a single deployment task in a set fails, perhaps send a notification or call an API).\r\n - DNS: Add TencentDNS and ZoneEdit provider plugins from Posh-ACME.\r\n - CA: Add GlobalSign Atlas as a Built-in CA option.\r\n - ACME Accounts: support account pre-approval (EJBCA Enterprise etc) by optionally pre-generating a custom account key.\r\n - CLI: Advanced option to Add/Update stored credentials for automation of credential changes.\r\n - UI: Remove license activation notice in community edition for personal use.\r\n- Fixes:\r\n - SSH: Improve SSH/SFTP compatibility when authenticating via password prompt.\r\n - ARI: skip replaces operation in more situations when initial order fails (e.g. CA has changed).\r\n - Installer: enable install on Arm64.\r\n - Updates: *Optionally* quit app if an update is essential.\r\n \n"},{"version":"6.1.0","releasedate":"2024/08/09","body":"- Enhancements:\r\n - IIS Bindings: extended logging has been added to explain individual binding matches and binding additions/updates (for Preview and actual deployment). Existing IP specific bindings with SNI will now also retain the SNI settings where applicable.\r\n - Renewals: New maximum of 1000 consecutive failed renewal attempts per managed item. This avoids incurring further unnecessary CA rate limits when an item can no longer successfully renew. Failed items can still be manually attempted with *Request Certificate* or can be removed.\r\n - Tasks: Updated SSH compatibility\r\n - Tasks: Set Private Key Permissions task was previously RSA only and now also handles Elliptic Curve key permissions.\r\n - Core: ACME API operations are now throttled per-CA to 2 requests per second, which avoids request-per-seconds rate limits on certain CAs.\r\n- Fixes:\r\n - SFTP: Fix for file copy bug which affected some file types (PEM etc) over SSH (bytes from previous file left over if new file was smaller).\r\n - Export: skip PFX credential check if exporting as PFX as export will just be a file copy.\r\n \n"},{"version":"6.0.18","releasedate":"2024/05/10","body":"- Fixes:\r\n - Renewals: Remove possible race condition where multiple orders of the same cert could occur at the same time and invalidate the private key.\r\n - ARI Support: automatically retry order if replacement certificate id no longer correct.\r\n - DNS: GoDaddy API access is now restricted by GoDaddy to accounts with 10+ domains. Add message in DNS provider error.\r\n \n"},{"version":"6.0.17","releasedate":"2024/05/01","body":"- Fixes:\r\n - Private Keys: fix optional re-use of private key when selected for a new managed certificate.\r\n - Tasks: For Apache, Nginx, Generic server etc on Windows, detect attempt to export a file to a directory name instead of a full path with filename.\r\n- Enhancements:\r\n - ARI: Update ACME Renewal Information implementation to current draft `draft-ietf-acme-ari-03`. \n"},{"version":"6.0.16","releasedate":"2024/04/25","body":"- Fixes:\r\n - PowerShell: When using *Launch New Process* mode, additional arguments are now passed to the target script.\r\n - PFX Build: improve handling of build for unknown roots when there is no intermediate in the CA chain.\r\n- Enhancements:\r\n - Updated Posh-ACME DNS scripts, SSH.Net version updated for additional SSH compatibility\r\n - New `DefaultACMERetryInterval` preference in `appsettings.json` to customize default ACME operation retry interval (in seconds). This can help when custom CAs etc have slower than normal order processing times.\r\n\r\n\r\n \n"},{"version":"6.0.15","releasedate":"2024/02/22","body":"- Enhancements:\r\n - CLI: Add option to remove a domain from any managed certificate without knowing the ID e.g. `certify remove any `. Empty managed certs are cleaned up automatically.\r\n - UI: Add support for parsing custom openssl private keys with ec param blocks\r\n - DNS: Implement PowerDNS API support for DNS validation via Posh-ACME.\r\n- Fixes:\r\n - Tasks: Preserve failure count if a renewal succeeds but a deployment task fails. This allows repeated task failures to trigger standard API notification just as cert renewal failures would.\r\n - Installer: Ensure `BouncyCastle.Cryptography.dll` is properly updated during install/upgrade which otherwise results in order/renewal errors. \n"},{"version":"6.0.14","releasedate":"2024/02/12","body":"- Enhancements:\r\n - Tasks: Update SSH support to use newer SSH.NET library for improved compatibility and performance.\r\n - DNS: Add Hosting.de DNS provider via Posh-Acme, implemented by Fritz Otlinghaus\r\n- Fixes:\r\n - Renewal: **Fix issue where failed renewals were retried too frequently** which incurred CA rate limits instead of backing off attempts to every 48hrs as expected.\r\n - Tasks: Fix Apache, nginx, generic server export path validation when using Windows shares. Log error if stored credentials are required but not accessible. \n"},{"version":"6.0.13","releasedate":"2023/12/12","body":"- Enhancements:\r\n - Implement advanced option for forced DNS challenge cleanup \r\n- Fixes:\r\n - FTP: re-use previously set FTP binding port instead of defaulting to port 21 for updates.\r\n - Validation: Add validation to prevent primary subject name from exceeding 64-characters.\r\n - Http Challenge Server: Stop challenge server on unknown exceptions to avoid possible process hangs if blocked by other processes.\r\n - Powershell: Fix issue with PowerShell script path issues when running as a new process.\r\n - DNS: report full provider name in logs when using Posh-ACME based providers.\r\n - Core: Increase order processing timeout to allow for slower CA order processing.\r\n - Core: batch and deduplicate status reporting (if enabled).\r\n \n"},{"version":"6.0.12","releasedate":"2023/10/25","body":"- Enhancements:\r\n - Core: Add Sectigo Enterprise as built-in CA\r\n - UI: New option to allow local hostnames when added a custom CA\r\n- Fixes:\r\n - DNS: GoDaddy provider updates to fix issues preventing cleanup of TXT records, improved update logic and added request rate limiting.\r\n - Core: Report error if data store fails to load\r\n - Core: Error if PFX fails to be read after download (unsupported key types)\r\n - Core: Avoid error if attempting a Deployment Task that hasn't been saved yet\r\n - UI: Only use valid saved window dimensions \n"},{"version":"6.0.11","releasedate":"2023/08/21","body":"- Enhancements:\r\n - UI: Add count of items with *No Certificate* to summary view\r\n - Core: Check for renewals tasks more frequently, perform maintenance tasks hourly.\r\n - Tasks: Add LogonType option for more powershell based tasks\r\n- Fixes:\r\n - UI: Fix for tasks retaining previously selected credentials when current service account is selected.\r\n - UI: Disable relevant UI elements when service is not yet connected\r\n - Tasks: Fix powershell script wrapper path escaping\r\n - Tasks: *Deploy to ADFS* should use interactive LogonType by default\r\n - Core: Use UTC datetime handling as standard \n"},{"version":"6.0.10","releasedate":"2023/08/01","body":"- Enhancements:\r\n - UI: Don't show progress reports for skipped items not due. Clear previous progress reports when starting new batch renewal.\r\n - UI: Improve UI for short lifetime certificates\r\n - Core: New renewal hold/retry algorithm based on certificate lifetime (if known)\r\n - Core: Add optional parallel renewal task processing and optional setting to leave challenge cleanup to the end of the renewal process.\r\n - DNS: Update Cloudflare provider to cleanup TXT entries in order of date modified\r\n - Tasks: _Update Port Binding_ task error handling for `netsh` command output made more robust. Generally use this task in place of custom `netsh http add sslcert` scripts.\r\n- Fixes:\r\n - Core: Improve CA fallback logic to prefer the default CA settings instead of last used.\r\n - Core: Fix intermittent error for optional untrusted TLS connections to ACME servers\r\n - Core: Various fixes and improvements for managing large numbers of certificates\r\n - UI: Deployment tasks using Windows Auth should not require a remote target host\r\n \n"},{"version":"6.0.9","releasedate":"2023/06/26","body":"**All 6.x users are advised to upgrade.**\r\n\r\n* Fixes:\r\n - Installer: Fix issue where some files were not being updated on upgrade leaving installation in an inconsistent state.\r\n - Certificate Cleanup: Corrected an issue where cleanup would not be performed if the mode was set to *After Renewal* due to not matching on the PFX friendly name. \n"},{"version":"6.0.8","releasedate":"2023/06/22","body":"* Fixes:\r\n - DNS: Fix errors reported when using the acme-dns provider\r\n - UI: Fix problems with saving and changed state when editing challenge configurations. \n"},{"version":"6.0.7","releasedate":"2023/06/21","body":"* Fixes:\r\n - Core: Fix for Manual DNS etc orders becoming stuck at awaiting user action due to order being expired by CA.\r\n - Core: Reduce logging by default for periodic maintenance tasks.\r\n - UI: Fix issue with refresh of challenge configuration parameters when changing between http and DNS validation.\r\n \n"},{"version":"6.0.6","releasedate":"2023/06/20","body":"* Fixes:\r\n - Core [potential breaking change]: **Revert default private key type to RSA256 with key size of 2048.** Some popular apps like MS Exchange etc do not support ECDSA 256 keys. If you have previously used 6.x and have MS Exchange or other affected apps, please review your Default Key Type under Settings > General\r\n - UI: Challenge configuration should mark item as modified when parameters change. Fix recursive challenge provider UI selection bug.\r\n - UI: Import/Export should show as an option by default.\r\n - DNS: Avoid acme-dns provider exception is API url not set. \n"},{"version":"6.0.5","releasedate":"2023/06/15","body":"* Enhancements:\r\n - UI: Show the last used CA under managed certificate status. This is useful if you are using multiple CAs or CA failover.\r\n - UI: Additional settings to toggle External Certificate Managers, using Modern PFX Algorithms and default Private Key type.\r\n - DNS: Deprecate additional built-in providers and defer to Posh-ACME versions instead.\r\n - Core & UI: Add option in settings to renew certificates based on the percentage of overall certificate lifetime elapsed.\r\n - Core: Add option to limit requested certificate lifetime under Certificate > Advanced > Signing & Security, where supported by CA.\r\n - Core: Add renewal reason in logs explaining why an item is selected for renewal.\r\n* Fixes:\r\n - Core and UI: Fixed incorrect next planned renewal date shown in UI depending on renewal mode selected under Settings.\r\n - Core: Prevent exception if no matching CA account has been configured to match the certificate request.\r\n - Core: Fix error reading IIS site list if site does not have a path set in config.\r\n - Core: Additional validation checks for invalid Authority Tokens.\r\n - Core: Ensure periodic certificate store cleanup uses preferred store type.\r\n - Import/Export: Fix issue where PFX file remained encrypted after import. Added import overwrite option.\r\n - UI: Prevent exception if selected item is deselected during save.\r\n - Tasks: Fix intermediate chain export for Apache/nginx/hashicorp-vault to not include root.\r\n \n"},{"version":"6.0.4","releasedate":"2023/05/24","body":"* Fixes:\r\n - Installer: Fix versioning of various bundled Microsoft DLLs.\r\n - Azure DNS: Fix issue where existing record would have challenge value appended rather than a new record entry being created, fix cleanup of TXT records.\r\n - CA Failover: Improve selection of fallback CA choice where only 1 domain is included in cert.\r\n - Data Stores: Fix UI issue that prevented switching back to original default data store after switching to a different data store.\r\n \n"},{"version":"6.0.3","releasedate":"2023/05/23","body":"* Fixes:\r\n - Installer: Update digital signature on executables & libraries. Cleanup additional artifacts from previous installs. \n"},{"version":"6.0.2","releasedate":"2023/05/22","body":"* Fixes:\r\n - DNS: restore credential \"Test\" functionality where supported.\r\n - AutoUpdate: Fix issue where AutoUpdate script would download previous app version due to version string not being passed to API. Add Windows Event logging.\r\n - Help: Fix issue where invalid help links would cause an exception when link clicked. \n"},{"version":"6.0.1","releasedate":"2023/05/19","body":"* Enhancements:\r\n - Tasks: Add new *Deploy to Doppler* task for storing certificate artifacts in Doppler SecretOps.\r\n* Fixes:\r\n - SQLite: Improve error handling when a database file is locked.\r\n \n"},{"version":"6.0.0","releasedate":"2023/05/12","body":"# Certify The Web - v6.0\r\n\r\n**v6.x is a major new release featuring lots of improvements developed over the last 12 months.**\r\n\r\n* Enhancements:\r\n - Certify SSL Manager is now simply called *Certify Certificate Manager*\r\n - Add support for *STIR/SHAKEN* (Secure Telephone Identity) certificates and add Martini Security (martinisecurity.com) as a built in CA.\r\n - Automatic CA fallback/failover is now enabled for new installs by default and can be toggled under `Settings > Certificate Authorities`, just add multiple ACME accounts and the app will automatically switch to the next available CA if the current one is unavailable or failing.\r\n - CA: Add Sectigo (EV,DV,OV ACME endpoints) as a built in CA option.\r\n - Data Stores: optionally use MS SQL Server or PostgreSQL as the data store instead of SQLite, migrate data between stores.\r\n - CLI: implement backup import/export options \r\n - Core/UI: Improved support for managing many thousands of certs\r\n - Core: Internal ACME CAs can now optionally connect using self-signed TLS\r\n - Core: New certificate OCSP and ARI health checks twice per day, per certificate, to test for any required early renewal.\r\n - Core: Use Anvil library for ACME support\r\n - Accounts: add support for importing and exporting account details, account key rollover and optional account deactivation on delete.\r\n - UI: Added turkish language support (thanks to Riza Emet)\r\n - Tasks: New deployment task to Set Private Key permissions for specific account. \r\n - Tasks: New task Update Port Binding for general TLS port binding updates.\r\n - DNS: New Domeneshop and Infomaniak DNS providers via Posh-ACME\r\n - DNS: New version of Microsoft Azure DNS provider.\r\n - DNS: New Google Domains provider for DNS based ACME challenges.\r\n* **Breaking Changes**:\r\n - CA: Let's Encrypt will now default to the `ISRG Root X1` chain instead of the default expired `DST Root CA X3` chain.\r\n - Core: Private Keys now default to ECDSA 256 instead of RSA 2048\r\n - Core: Installed root certificate no longer required for a successful PFX build.\r\n - Tasks: Exclude root cert from default export for Apache, nginx and Generic Server fullchain option.\r\n - Community Edition: Unlicensed version will manage up to 5 managed certificates.\r\n* Fixes:\r\n - DNS: GoDaddy DNS provider fetch all result pages, fix default result page sizes\r\n - UI: Changes to preferred chain were not being saved in account editor\r\n - UI: Certificate Authority select resets if user changes to main settings tab\r\n - UI: Fix challenge credentials reset to default item on refresh of credentials list\r\n \r\n \r\n \n"},{"version":"5.9.6","releasedate":"2023/04/28","body":"* Enhancements:\r\n - DNS: New version of Microsoft Azure DNS provider.\r\n \n"},{"version":"5.9.5","releasedate":"2023/04/17","body":"* Enhancements:\r\n - Add support for STIR/SHAKEN (Secure Telephone Identity) certificates and add Martini Security (martinisecurity.com) as a built in CA.\r\n - Implement ARI support for continuous renewal info health checks\r\n - Data Stores: optionally use MS SQL Server or PostgreSQL as the data store, migrate data between stores.\r\n - CLI: implement backup import/export options \r\n - Core: Installed root certificate no longer required for a successful PFX build.\r\n - Core: Use Anvil library for ACME support\r\n - Core: Default to smaller ECDSA 256 keys for CSRs instead of old RSA 2048 default\r\n - Accounts: add support for importing and exporting account details, account key rollover and optional account deactivation on delete.\r\n* Fixes:\r\n - DNS: IONOS DNS: fix for DNS zone matching\r\n - DNS: Azure DNS: fix patching of existing txt records during add/delete \r\n \n"},{"version":"5.9.4","releasedate":"2023/02/24","body":"* Enhancements:\r\n - DNS: Implement Google Domains provider for DNS based ACME challenges.\r\n - Tasks: New deployment task to Set Private Key permissions for specific account. \r\n - Tasks: New task Update Port Binding for general TLS port binding updates.\r\n - DB: range of improvements for query performance with large collections of managed items. \r\n - Certs: new certificate OCSP and ARI health checks twice per day to test for any required early renewal.\r\n* Fixes:\r\n - Tasks: Azure Key Vault deployment task should use PFX password if set.\r\n - Tasks: Don't show remote host option if task doesn't support it.\r\n \r\n \n"},{"version":"5.9.3","releasedate":"2022/12/22","body":"* Enhancements:\r\n - Remove blocking of UI for periodic status checks, use regular background checks instead.\r\n* Fixes:\r\n - Make modern PFX algs no longer the default due to compatibility issues\r\n - Use a loopback IP for default API binding instead of localhost due to incompatibility with some hosts.\r\n - Fix preferred chain pref not being honoured is CA has a default chain set in config \n"},{"version":"5.9.2","releasedate":"2022/12/15","body":"* Enhancements:\r\n - Core: Implement continuous certificate health checks (OCSP and ARI).\r\n - Core: Relax PFX chain building so copy of the CA root is not always required. \n"},{"version":"5.9.1","releasedate":"2022/12/01","body":"* Fixes\r\n - Use standard defaults for PFX build algorithms\r\n - Fix some exception logging when CA communication fails \n"},{"version":"5.9.0","releasedate":"2022/11/29","body":"\r\n# Alpha release for upcoming V6.0\r\n* Enhancements:\r\n - General: Certify SSL Manager is now called Certify Certificate Manager\r\n - UI: Added turkish language support (thanks to Riza Emet)\r\n - DNS: Implemented Domeneshop and Infomaniak DNS providers via Posh-ACME\r\n - DNS: Add DDNSZone option for RFC2136 provider via Posh-ACME\r\n - Tasks: **Breaking Change** exclude root cert from default export for Apache, nginx and Generic Server fullchain option.\r\n - Core: PFX files now default to more modern key and certificate algorithm defaults. Legacy option is available as config.\r\n - Core: Refined logging details\r\n - Core: Internal ACME CAs can now optionally connect using self-signed TLS\r\n - CA: Add Sectigo (EV,DV,OV ACME endpoints) as built in CA option.\r\n - CA: **Breaking Change** Let's Encrypt will now default to the `ISRG Root X1` chain instead of the default expired `DST Root CA X3` chain.\r\n* Fixes:\r\n - DNS: GoDaddy DNS provider fetch all result pages, fix default result page sizes\r\n - UI: Changes to preferred chain were not being saved in account editor\r\n - UI: Certificate Authority select resets in advanced certificate setting user changes to main settings tab\r\n - UI: Fix challenge credentials reset to default item on refresh of credentials list\r\n* Planned Before Final Release:\r\n - *CA: Add Fallback modes- Preferred with Automatic Fallback (default), Preferred Only, Any (Random)\r\n - *UI: New optional cross-platform web interface in addition to the existing desktop UI.\r\n - *UI: new database migration UI to move from one database backend to another\r\n - *API: New APIs for custom client access\r\n - *Core: Support for running under Linux (Docker etc)\r\n - *Core/UI: Improved support for managing many thousands of certs\r\n - *Core: Nginx target support for website selection and binding deployment\r\n - *Core: Support for running on Linux, with certificates defaulting to pem format on that platform\r\n - *Core: New optional database backends for configuration storage: SQLite (default), Microsoft SQL Server, PostgreSQL\r\n - *Core: New preference for cert expiry days (e.g. optionally expiring in less than 90 days)\r\n \r\n \r\n \n"},{"version":"5.6.8","releasedate":"2022/04/04","body":"* Enhancements:\r\n - Add built-in support for the new Google Cloud public certificate authority (preview). See https://docs.certifytheweb.com/docs/guides/certificate-authorities \n"},{"version":"5.6.7","releasedate":"2022/03/28","body":"* Fixes:\r\n - Fix domain options not refreshing in UI when IIS site selected. \n"},{"version":"5.6.6","releasedate":"2022/03/17","body":"* Enhancements:\r\n - Update Posh-ACME DNS providers to v4.13.1, Add LeaseWeb plugin, update Loopia & Simply plugins\r\n* Fixes:\r\n - Fix slow refresh of domain options in UI when managing sites with many domains\r\n - Improve server connection handling if connection config is invalid\r\n - Cloudflare DNS provider improvements (multi-value TXT handling)\r\n \n"},{"version":"5.6.5","releasedate":"2022/02/02","body":"* Enhancements:\r\n - Add `acmeaccounts list` command to CLI to list details of currently registered acme accounts.\r\n* Fixes:\r\n - Fix performance of domain options UI when site has many bindings.\r\n \n"},{"version":"5.6.4","releasedate":"2022/01/11","body":"* Fixes:\r\n - Fix issue with non-escaped credentials when invoking Posh-ACME based DNS providers resulting in failed DNS challenge updates. \n"},{"version":"5.6.3","releasedate":"2022/01/07","body":"* Enhancements:\r\n - Edit option added for Certificate Authority accounts to update contact email address.\r\n* Fixes:\r\n - Update service connection retry logic, disable service port negotiation by default \n"},{"version":"5.6.2","releasedate":"2021/12/20","body":"* Fixes:\r\n - Revert SQLite version due to upgrade causing compatibility issues for some users. \n"},{"version":"5.6.1","releasedate":"2021/12/17","body":"* Fixes: \r\n - Installer updated to remove old references to SQLite which prevented the service from starting. Improved background service update process. \n"},{"version":"5.6.0","releasedate":"2021/12/15","body":"* Enhancements:\r\n - DNS: Added providers (via Posh-ACME) for All-Inkl, Combell, Constellix, ISPConfig, TotalUptime, UKFast, Zilore. You can now also optionally use Namecheap and DNS Made Easy via the Posh-ACME based providers.\r\n - DNS: New CNAME delegation rule option added to allow CNAME delegation of DNS challenges to a surrogate domain/zone.\r\n - Tasks: Added Azure App Service (webapp & function app) deployment, Add azure environment options to Azure KeyVault deployment.\r\n - Core: Subproblem logging for ACME errors.\r\n - Core: Custom plugins can load from `%PROGRAMDATA%\\plugins` if plugin loading enabled (under Settings).\r\n - Misc: Use TLS 1.2 by default for AutoUpdate and Posh-ACME based powershell providers.\r\n - UI: Added server connections editor (beta).\r\n - CLI: Added `acmeaccount` command to register a new ACME account.\r\n* Fixes:\r\n - DNS: Azure DNS environment selection (US Gov etc).\r\n - Custom CSR: subject name not also specified in SAN list are now included in the overall list of identifiers.\r\n - IIS: SNI flags are now properly preserved if modified on Window 10/Server 2022. \n"},{"version":"5.5.7","releasedate":"2021/10/27","body":"* Enhancements:\r\n - Certificate Authorities: Update maintenance task for ZeroSSL\r\n - Migration (beta): Add option for certificate re-deployment, progress indicator\r\n - AutoUpdate (beta): Add method to update script if in use during update\r\n - DNS: Update Posh-ACME based PowerShell DNS providers\r\n* Fixes:\r\n - CLI: reduce default delay for diagnostic autofix binding deployment\r\n - Core: Improve performance when applying Auto deployment binding updates where many individual sites exist \n"},{"version":"5.5.6","releasedate":"2021/10/20","body":"* Enhancements:\r\n - Certificate Authorities: Extend maintenance task to add root cert required for ZeroSSL\r\n - Tasks: Export Certificate, Apache, nginx and Generic server deployment tasks updates with \"full chain\" export options.\r\n - Auto Update (beta): An example Auto Update powershell script has been included under `%Program Files%\\CertifyTheWeb\\Scripts\\AutoUpdate`. Users who wish to auto update can create a Windows scheduled task (as administrator) to perform unattended updates automatically to the latest stable app version. \r\n - CLI: new `activate` command to activate instance license for unattended installs.\r\n - UI: Spanish translation updated (by community contributor [xtarting](https://github.com/xtarting))\r\n\r\n* Fixes:\r\n - Diagnostics: When running diagnostics from UI there is no need to check ability to create temp files\r\n - DNS: GoDaddy provider updated to fix cleanup task.\r\n - DNS: OVH provider updated to fix cleanup task (by community contributor [Nuklon](https://github.com/Nuklon)).\r\n - Migration (beta): Create destination cert storage path if it doesn't exist. \n"},{"version":"5.5.5","releasedate":"2021/09/24","body":"* Enhancements:\r\n - Certificate Authorities: extend maintenance task to add required Let's Encrypt and BuyPass Go roots, update old/problematic intermediate certificates. See https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/ for information and help regarding the Let's Encrypt root changeover (30th September 2021). \r\n - UI: allow local hostnames in cert when using custom CAs\r\n \n"},{"version":"5.5.4","releasedate":"2021/09/09","body":"* Fixes:\r\n - Fix issue saving settings changes \n"},{"version":"5.5.3","releasedate":"2021/09/09","body":"* Enhancements:\r\n - Certificate Authorities: Add new internal maintenance task to disable old/problematic intermediate certificates (e.g. the old Let's Encrypt R3). See community.certifytheweb.com for discussion around Let's Encrypts expiring R3 and DST Root CA X3 certificates. **A reboot is advisable after this update to serve the non-expiring chain.**\r\n - UI: Add advanced certificate options for OCSP Must-Staple and private key re-use.\r\n - UI: Add general setting for certificate store preference (recommended default remains the local machine My store).\r\n - UI: Enter key will submit domains to add to certificate (as well as clicking add button).\r\n \r\n* Fixes:\r\n - CLI: If filename not supplied for json export, a validation warning should be shown.\r\n - CLI: removing last domain from a managed certificate will remove the managed certificate as well.\r\n - Tasks: [Powershell] Add support for escaping `;` and `=` characters in powershell args using `\\`.\r\n - Tasks: [All] If credentials are used in a task and they fail to decrypt then an error should be returned.\r\n - Migration (beta): General updates and fixes.\r\n \n"},{"version":"5.5.2","releasedate":"2021/07/23","body":"* Enhancements:\r\n - UI: Add `Duplicate` right click context menu option for managed certificates list. This is useful for copying managed certificates which have tasks or other settings you want to replicate.\r\n* Fixes:\r\n - UI: Fix crash on discarded changes after attempting a Save. \n"},{"version":"5.5.1","releasedate":"2021/07/22","body":"* Enhancements:\r\n - UI: Start page updates, confirm re-request of certificates to avoid CA rate limits.\r\n - Core: Logging improvements \r\n* Fixes:\r\n - Tasks: Powershell task validation no longer treats inaccessible file as invalid.\r\n - Test: Http validation check won't error if IIS not installed. \r\n - UI: Fix images in quickstart guide \n"},{"version":"5.5.0","releasedate":"2021/07/19","body":"* Enhancements:\r\n - UI: New Summary pane on startup shows filterable counts of managed certificates by health category\r\n - CLI: New JSON output for `list` option, new option to add managed cert from a JSON template\r\n - Tasks: New options for PowerShell and Script tasks to optionally run as new processes\r\n - CAs: Add SSL.com to the list of built-in ACME Certificate Authorities\r\n - CSRs: Add support for various RSA key sizes\r\n - Renewals: Preference can now be either N days since last renewal or N days before expiry date.\r\n - Misc: Add update check cleanup for old setup files\r\n - Misc: Add default cleanup for old certificate file assets\r\n - Misc: Service will perform diagnostics and report if machine is running low on disk space etc. A notification will be sent to the default CA contact.\r\n* Fixes:\r\n - UI: Fix issue with multiple new DNS authorization configs incorrectly copying parameters \r\n - DNS: Fix for Cloudflare DNS provider updating existing TXT records.\r\n - CLI: Fix for `renew-all-due` option attempting too many items.\r\n - Core: Fix exception reading config for external cert managers\r\n - Core: ACME compatibility fixes to support more ACME CAs\r\n - Core: Ensure all auth challenges submitted even if cert order has already failed, to help with auth rate limiting. \n"},{"version":"5.4.3","releasedate":"2021/05/22","body":"* Fixes:\r\n - Fix crash when trying to change UI language when UI settings have not been previously saved. \n"},{"version":"5.4.2","releasedate":"2021/05/21","body":"* Enhancements:\r\n - Progress UI updates for DNS challenges which may be paused (Certify DNS, Manual DNS, acme-dns)\r\n - Updated docs links for DNS providers\r\n* Fixes:\r\n - **Important:** Fix for manual certificates (those not using IIS for the domain list) not performing standard deployment (affecting new certs created with v5.4.0, v5.4.1).\r\n \n"},{"version":"5.4.1","releasedate":"2021/05/20","body":"* Enhancements:\r\n - Certify DNS: pass subject domain to registration service for dashboard monitoring\r\n* Fixes:\r\n - Fix for manual certificates (those not using IIS for the domain list) being identified as externally managed\r\n - Fix for potential exception when using keyboard to delete a managed certificate\r\n\r\n \n"},{"version":"5.4.0","releasedate":"2021/05/18","body":"* Enhancements:\r\n - New **Certify DNS** service in beta. This is a new cloud based acme-dns style service and can be enabled on your certifytheweb.com License Keys tab.\r\n - Tasks: Powershell script task now has an optional parameter for max timeout minutes.\r\n - DNS: Azure DSN provider has new option for alternative azure global services\r\n - CLI: new options to add/remove domains from a given managed cert\r\n - Engineering: preparation for .net 5/.net 6 versions. Preliminary support for Windows Server 2022.\r\n - UI: New setting to manually select language for UI translations. UI now defaults to English for all users. Users keen to see translations continue should discuss on https://github.com/webprofusion/certify\r\n* Fixes:\r\n - DNS: General fixes for zone matching based on label depth.\r\n - DNS: AWS Route 53 zone paging\r\n - DNS: Cloudflare provider should not error if TXT record already exists\r\n - DNS: MS DNS provider now supports optional zoneid to avoid zone discovery process. Contributed by https://github.com/mb300sd\r\n - UI: Fix error launching browser in some environments links when clicking links.\r\n - Renewals: Failed renewals should not count against batch limit causing no renewals to be attempted.\r\n - Migration: If task script files are deleted then migration should skip them, if credentials deleted don't try to migrate them.\r\n - Revert to previous 10 managed certificates limit in Community Edition \n"},{"version":"5.3.5","releasedate":"2021/03/17","body":"* Enhancements:\r\n - IONOS DNS provider updates\r\n - DNS Made Easy DNS Provider updates\r\n* Fixes:\r\n - Refine startup window positioning when used with multiple monitors\r\n - Import CSV should migrate pre/post request scripts to deployment tasks \n"},{"version":"5.3.4","releasedate":"2021/03/04","body":"* Fixes:\r\n - Installer updates (minor) \n"},{"version":"5.3.3","releasedate":"2021/03/02","body":"* Enhancements:\r\n - Add new DNSPod (v2) provider. The old version is now deprecated due to provider API changes. \n"},{"version":"5.3.2","releasedate":"2021/02/26","body":"* Fixes:\r\n - Fix for primary domain preference not persisting when saved (first domain in list gets selected instead).\r\n - Additional refinements to configuration validation \n"},{"version":"5.3.1","releasedate":"2021/02/23","body":"* Enhancements:\r\n - Added additional ACME API request exception handling for slow or unavailable services.\r\n - Custom CA root certs can now be stored under `C:\\ProgramData\\certify\\custom_ca_certs\\pem` or `C:\\ProgramData\\certify\\custom_ca_certs\\der`, for instance to support new Let's Encrypt staging root certs or any custom/new CA root without adding to the machine trust store.\r\n* Fixes:\r\n - Fix issue where new certificate orders may not include the primary domain (automated tests)\r\n - Fix logging of identifier name during validation\r\n - Fix issuer cache refresh without restarting service\r\n \n"},{"version":"5.3.0","releasedate":"2021/02/19","body":"* Fixes:\r\n - Display IIS sites by default if either mode (website/ftp) is started\r\n - Report error if DNS validation fails during testing.\r\n - Azure DNS provider max number of DNS zones increased\r\n* Enhancements:\r\n - New IONOS (1&1) DNS API provider contributed by https://github.com/maxulm\r\n - Updated Posh-ACME DNS provider integrations to v4.x, retired UnoEuro provider, added Simply.com and Rimu Hosting\r\n - CLI: Add `--renew-all-due` option and `id=` option to target individual items. Managed cert ID can be found under Certificate > Advanced > Actions\r\n - Initial support for IP address identifiers (requires CA support).\r\n - Report error type if problem occurs attempting to parse a custom CSR private key.\r\n - General UI Updates \n"},{"version":"5.2.1","releasedate":"2020/12/03","body":"* Fixes: \r\n - fix selection of HMAC algorithm for external account binding. \n"},{"version":"5.2.0","releasedate":"2020/11/26","body":"### âš  Important Update for users who need to support old versions of Android on their sites.\r\n----------------------\r\n\r\nThis version provides new support for \"preferred chain\", **this is important for users who still need to support older Android devices using their sites.** \r\n\r\nOn January 11 2021 Let's Encrypt will move to a new a root certificate *ISRG Root X1* which is not trusted in older versions of Android. Affected users should set their preferred chain to **DST Root CA X3** either at their Let's Encrypt account level (Settings > Certificate Authorities) or on specific certificates in Certificate > Advanced > Certificate Authority. \r\n\r\nAlternatively switch to using an alternative Certificate Authority with an existing trusted root (e.g BuyPass Go or ZeroSSL).\r\n\r\n-------------------\r\n\r\n* Other enhancements in this version:\r\n\r\n - Added **ZeroSSL** as a standard Certificate Authority option. To get started with ZeroSSL go to zerossl.com and create a free account, then go to Developer > EAB Credentials for ACME Clients > Generate to get your 'External Account Binding' credentials. You can then add your ZeroSSL account under Settings> Certificate Authorities, New Account. See the Advanced tab to set EAB credentials.\r\n - New support for External Account Binding - this lets you use certificate authorities which require this feature.\r\n - New settings preference UI for NTP server check (time sync diagnostic).\r\n - External certificate managers and the PFX password option features are now enabled by default.\r\n - General UI updates and bug fixes \n"},{"version":"5.1.12","releasedate":"2020/10/29","body":"* Enhancements:\r\n * Add automatic DB backup as part of daily maintenance, move all DB maintenance to daily task. \n"},{"version":"5.1.11","releasedate":"2020/10/21","body":"* Fixes:\r\n * Handle possible disk IO exception during db maintenance (low disk space or IO errors etc).\r\n * Powershell: don't use previously supplied windows credentials if no longer relevant to selected user type\r\n* Enhancements:\r\n * Add default 5 min timeout to powershell scripting and make ExecutionPolicy optional\r\n * Add ssl option flag to Exchange Deployment Task (beta - try it out if you need it). \n"},{"version":"5.1.10","releasedate":"2020/10/13","body":"* Fixes:\r\n * revert exception behaviour when managed certificate changes made during request\r\n * Minor updates to UI text in some deployment tasks \n"},{"version":"5.1.9","releasedate":"2020/10/08","body":"* Enhancements: \r\n * Database write ahead logging behaviour\r\n * Managed certificates versioning enforced\r\n * Run service diagnostics on UI startup\r\n * Add impersonation logontype selection to powershell deployment task (see https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-logonusera?redirectedfrom=MSDN) as different logontypes are useful in different circumstances.\r\n* Fixes:\r\n * Certificate Store deployment task now allows blank cert friendly name\r\n * Improved handling of potentially invalid IIS site bindings (including ftp) \n"},{"version":"5.1.8","releasedate":"2020/09/18","body":"* Fixes:\r\n * Fix custom PFX credential selection UI reverting to no selection. \n"},{"version":"5.1.7","releasedate":"2020/09/14","body":"* Fixes:\r\n * Important: Service Manager (Stop/Start/Restart Service) Deployment Task regression since 5.1.3, caused stopped service to not restart. \n"},{"version":"5.1.6","releasedate":"2020/09/10","body":"* Fixes:\r\n * Update deSEC DNS provider (Posh-ACME) and fix optional parameters\r\n * Ensure concurrent updates to managed certificates list show in UI\r\n* Enhancements:\r\n * Just show release notes for versions after currently installed version. \n"},{"version":"5.1.5","releasedate":"2020/09/07","body":"* Fixes:\r\n * PowerShell execution policy preference in serviceconfig.json should be passed to deployment tasks\r\n * Fix ChallengeType reported in Webhook integrations\r\n * Don't remove script files from Program Files\\CertifyTheWeb\\ as some users may have custom scripts there. *This is a temporary change to help with upgrades. If you have scripts stored there, move them now*.\r\n \r\n Note: **Do not store custom scripts under Program Files\\CertifyTheWeb**, instead use a custom location which will be preserved (such as C:\\CertifyScripts or C:\\ProgramData\\Certify\\Scripts)\r\n \n"},{"version":"5.1.4","releasedate":"2020/09/03","body":"* Fixes: \r\n * ADFS deployment task fix/update\r\n * Fix option checkbox handling for various deployment task.\r\n * Catch exception if ACME registration timeout occurs \n"},{"version":"5.1.3","releasedate":"2020/08/28","body":"* Fixes:\r\n * Powershell scripting logon type for local user should use .\\ if no domain specified.\r\n * Fix PFX password choice display under Certificate > Advanced (if enabled), export/conversion of password protected PFX in deployment tasks \n"},{"version":"5.1.2","releasedate":"2020/08/21","body":"* Fixes: \r\n * SimpleDNS provider updates and fixes\r\n * Startup exception when no existing items present \n"},{"version":"5.1.1","releasedate":"2020/08/20","body":"* Fixes: Fix issue using SimpleDNS API \n"},{"version":"5.1.0","releasedate":"2020/08/19","body":"* Features:\r\n * Custom CSR (useful for SAP Netweaver and many other servers) and Custom Private Key support\r\n * RFC2136 DNS validation support via Posh-ACME and nsupdate\r\n * New Hashicorp Vault deployment task.\r\n * New Settings UI, including options to Enable/Disable preview features\r\n * (Preview): Specify custom PFX password (stored credential)\r\n * (Preview): Custom CA Editor\r\n * (Preview): Import and Export Migration Tool - prepares a bundle of settings and files for deployment to another server, or for backups.\r\n* Enhancements:\r\n * DNS plugins are now dynamically loaded, allowing custom plugins (contributed by https://github.com/TwelveBaud)\r\n * CSV import now accepts 'auto' site id for auto deployment\r\n * New Tasks tab (previously under Deployment) to highlight Tasks feature\r\n * SSH/SFTP tasks now accept `hostname:port` to allow for custom ports.\r\n * Licensed installs can now deactivated from the UI (for decommissioning or license key changes).\r\n* Fixes: \r\n * Changes to authentication for network file copying tasks and Powershell to aid with domain/network authenticated tasks. \r\n * Certificate export updates and fixes\r\n * Misc fixes and refinements\r\n\r\n \n"},{"version":"5.0.12","releasedate":"2020/06/16","body":"* Fix: Improve integration of Posh-ACME DNS providers (fix Google Cloud etc) \n"},{"version":"5.0.11","releasedate":"2020/06/11","body":"* Fix: The advanced Re-fetch certificate feature should only be used if you have an existing cert order with the ACME CA\r\n* Fix: Settings save should not produce an error if no CA is currently selected \r\n* Fix: Default theme should still be light\r\n* Fix: (Dark mode) checkboxes not showing in domains list\r\n* Fix: if previous session used dual monitors, don't place the UI offscreen on resume with single monitor.\r\n* Fix: Add additional logging for permissions issues on service startup \n"},{"version":"5.0.10","releasedate":"2020/06/03","body":"* Fix: Fix startup exception when parsing invalid trusted root certificates from local store. \n"},{"version":"5.0.9","releasedate":"2020/06/02","body":"* Feature: Add powershell version detection to app diagnostics (PowerShell v5 or higher is required for scripting and certain deployment task functionality)\r\n* Feature: UI styling updates\r\n* Feature: Update cert revoke UI\r\n* Feature: Revised acme-dns workflow \n"},{"version":"5.0.8","releasedate":"2020/05/21","body":"* Feature: Deploy certificate to Azure Key Vault\r\n* Feature: Infoblox DNS provider via Posh-ACME\r\n* Fix: Manual DNS requests should pause and be manually resumed.\r\n* Fix: EasyDNS (Posh-ACME) parameter fixes\r\n* Fix: Service Manager deployment task bug fixes\r\n* Fix: Upgrades from very old versions should only use background service for renewals \n"},{"version":"5.0.7","releasedate":"2020/05/15","body":"* Feature: Cert Friendly name now included in results object for PowerShell scripting\r\n* Fix: Improved Ssh/Sftp handling in Deployment Tasks, Service Manager fixes and improvements\r\n* Fix: Deferred (manual) deployment tasks properly skipped during normal requests/renewals \n"},{"version":"5.0.6","releasedate":"2020/05/12","body":"* Feature: New Service manager deployment task (restart, stop or start a service)\r\n* Fix: Script task run as local service duplication removed, misc UI fixes\r\n \n"},{"version":"5.0.5","releasedate":"2020/05/09","body":"* Feature: improvements for challenge validation with non-Let's Encrypt CAs (e.g. small-step ACME)\r\n* Feature: Add basic support for viewing certs from external cert managers (win-acme and Posh-ACME)\r\n* Fix: UI Updates, Binding Deployment exception & misc fixes\r\n \n"},{"version":"5.0.4","releasedate":"2020/05/04","body":"* Feature: New `Wait n Seconds..`, `Deploy to Generic Server`, `RDP Gateway` and `RDP Listener` Deployment Tasks\r\n* Fix: CCS Export validation, cert full-cleanup job, script task error results, misc fixes\r\n \n"},{"version":"5.0.3","releasedate":"2020/04/29","body":"* Fix: Deleting deployment task, PowerShell/DNS path fixes\r\n* Feature: CLI options targeting specific renewal categories \n"},{"version":"5.0.2","releasedate":"2020/04/26","body":" * Fix: PowerShell scripting task, deployment task status results\r\n * Feature: UI for Deployment task last run status \n"},{"version":"5.0.1","releasedate":"2020/04/26","body":"* Fix: Post-ACME DNS Provider arguments, credential list UI binding \n"},{"version":"5.0.0","releasedate":"2020/04/25","body":"\r\n# Certify The Web v5\r\n\r\n**v5.x is a major new release featuring thousands of improvements and changes developed over the last 12 months.**\r\n\r\n## Updates & New Features in v5.x:\r\n\r\n\r\nMulti-ACME Account Support\r\n* New support for multiple ACME accounts (including BuyPass Go), additional/custom ACME CAs are configurable\r\n* New support for using Staging accounts (useful for testing without affecting production rate limits).\r\n\r\nDeployment Tasks:\r\n\r\n* Unlimited pre/post-renewal Tasks tasks such as export, copying, scripting, webhooks.\r\n* You can now defer and control deployment tasks so they can be part of scheduled maintenance outside of certificate renewal itself.\r\n* Deploy to windows, linux or other SSH hosts.\r\n* Deploy as specific users (windows, network, unix/linux)\r\n* Flexible certificate/key export in a range of common formats\r\n* Includes pre-built Deployment Tasks for MS Exchange, ADFS, Apache, nginx, Tomcat, CCS, Remote Access (VPN, SSTP), RDP Gateway/Listener\r\n\r\nDNS Providers:\r\n\r\n* 26 new DNS API providers via Posh-ACME. We now offer over 38 different DNS update providers/methods.\r\n* New TransIP DNS API provider contributed by ErikVO https://github.com/ErikvO\r\n\r\nMisc:\r\n* Hundreds of smaller UI changes including IIS FTP site support, integrated documentation links for DNS providers etc, release notes UI\r\n* Dark theme\r\n* UI Scaling options for enhanced accessibility\r\n* Command line option to scan for certificates that have been revoked to flag them for renewal\r\n* Bug fixes \n"}]}}