Rated 5 out of 5 stars

Righteous! Love this to death.

Edited for dev reply: SQLite: excellent. Mostly what I'm asking for is: in addition to the lovely host/domain ignore list you added, also a "host/domain to only check CA list". Keep it all centralized, and make it easy to only check CA for *.google.com, *.googleusercontent.com. and so on.

Right now, I have to check this box for *every certificate*, and it's a long, long slog. Then, when the cert expires in a-year-or-whatever: I have to re-check all those boxes for all those certificates. Too much effort.

I *want* to know if the issuance chain has *completely changed* on, say, Google certificates; I'd rather not ignore them entirely. However, until I can "semi-ignore" entire domains, it's very tempting to dump *.g*.com into the ignore list. Or disable Certificate Patrol entirely.

This review is for a previous version of the add-on (2.0.8.1-signed.1-signed). 

There's a checkbox in the change notification dialog that makes CP check only the issuer of the certificate for that host, you can also set this flag in the certificate manager, and yes it's stored in SQLite.