New features

• The full options menu now exposes the 'order' step, which allows you to split your source into multiple certificates. This can be useful when you run into limits imposed by your ACME provider (e.g. Let's Encrypt only supports 100 host names per certificate), want to generate certificates for many websites without micro-managing the associated renewals, and/or want to prevent information disclose through the SAN list. This feature has been available through the command line for a long time, but is now considered mature enough for a broader audience.
• With the new global validation options it's possible to create certificates with a mix of different validation options. You might for example use HTTP-01/FTP validation for www.example.com and DNS validation for *.contoso.net. Inspired by an idea coined by @JensSpanier (#2032). This also makes it easier to handle complicated validation settings. For example Azure requires some five pieces of difficult to remember information to do DNS validation, which until now had to be provided and maintained for each renewal seperately.
• Added a new external plugin to store certificates in the CurrentUser store instead of the LocalSystem store, as requested by @cvalka2 and others (#2213).
• Added a new external plugin for DNS Made Easy, contributed by @cboyce428 (#2230)
• It's now possible to customize the file name used in the PFX and PEM store plugins, instead of that being hardwired to reflect the common name of the certificate, as requested by @Dezeptor (#2231).
• When disabling the certificate cache (setting it to 0 days) no private key material will be stored anywhere except when and where specifically requested. @florian-re brought this need to our attention (#2286).
• The renewal manager now includes an option to show the command line arguments that may be used to (re)create the renewal. This is not a 100% water tight solution because some things can only be done by going through the menu's interactively, but should help the discoverability of unattended mode and provide an easier path for people getting into automation. Suggested by @elitegoodguy and @cesarchefino.

Enhancements

• Plugins have seen many changes in this release, which is the reason this release is designated as version 2.2.0 instead of 2.1.24. If you've built your own plugin, you'll have to adapt it to use the new interfaces designed for this release. Generally this will increase code quality by reducing redundancy and resolving several awkward bits that sneaked in over the years as demands for the previous system shifted. As an end-user, this should have no noticable effect, except for more meaningful and context-aware error messages in several places.
• The program is now built using .NET7, keeping up to date with the latest and greatest from Microsoft and improving the file size and reliability of the self-contained executable (e.g. #2192). Several of the larger classes have been refactored into smaller pieces to improve code readability and maintainability, and the whole solution has been cleaned of warnings.
• Download size of the trimmed package has been reduced by about 2MB.
• Newtonsoft.Json has been removed in favor of Microsofts own System.Text.Json.
• Azure plugins for DNS and KeyVault have been updated to use the next-generation ResourceManager packages, as well as various other third party dependency updates.
• Added a "no cache" (--nocache) switch and renewal manager menu option to be specifically different from "force" (--force). The latter ensures that renewals are always due, while the former temporarily disables the cache. This resolves some illogical behaviour, as pointed out by @aleekso in #2257.
• Intermediate certificates will no longer be installed to the Windows Certificate Store in --test mode, as per Let's Encrypts security recommendations. This helps to prevent your machine from trusting other test certificates.
• If an error happens during an otherwise succesful renewal (e.g. triggered by an installation script), the notification system will still send a high priority notification, as requested by @baconliker in #2283.
• You will no longer be able to pick the IIS installation step more than once. There is currently never any need to do this, but the possibility led users to believe that it may be needed or useful (e.g. #2236).
• For ACME services that provide long-lived certificates, it's now possible to change the cache system to keep files longer than 120 days, as requested by @FISHMANPET (#2255).
• @mike6715b contributed an example script for the Veeam Cloud Gateway.
• An option has been added to settings.json to disable the datetimestamp that is normally appended to the friendly name of certificates, increasing the level of control over the final outcome, as requested by @willt (#2298).

Bug fixes

• Attempting first-time setup with EAB credentials at ZeroSSL would fail due to the program asking for user input.
• Encrypt/decrypt private keys stored in the order cache when calling --encrypt, this was previously ignored.
• Don't show message "Test message sent" when it actually fails, reported by @kostamoisidis (#2208)
• The IIS FTP service would not always be detected properly, reported by @morhans (#2272)
• When cancelling a certificate using the command line, the cache would not be cleared.