Table: net_certificate
Certificate details for a domain.
Note: A domain
must be provided in all queries to this table.
Examples
Certificate information
select *from net_certificatewhere domain = 'steampipe.io';
Time until the certificate expires
select domain, AGE(not_after, current_timestamp) as time_until_expirationfrom net_certificatewhere domain = 'steampipe.io';
Check if the certificate is currently valid
select domain, not_before, not_afterfrom net_certificatewhere domain = 'steampipe.io' and not_before < current_timestamp and not_after > current_timestamp;
Check if the certificate was revoked by the CA
select domain, not_before, not_afterfrom net_certificatewhere domain = 'steampipe.io' and revoked;
Check certificate revocation status with OCSP
select domain, ocsp ->> 'status' as revocation_status, ocsp ->> 'revoked_at' as revoked_atfrom net_certificatewhere domain = 'steampipe.io';
Check if certificate using insecure algorithm (e.g., MD2, MD5, SHA1)
select domain, not_before, not_after, signature_algorithmfrom net_certificatewhere domain = 'steampipe.io' and signature_algorithm like any (array [ '%SHA1%', '%MD2%', '%MD5%' ]);
Query examples
- ssl_additional_certificate_record
- ssl_certificate_record
- ssl_certificate_report
- ssl_server_configuration_checks
Control examples
- ssl_certificate_avoid_too_much_security
- ssl_certificate_check_for_reliable_ca
- ssl_certificate_domain_name_mismatch
- ssl_certificate_multiple_hostname
- ssl_certificate_no_insecure_signature
- ssl_certificate_not_expired
- ssl_certificate_not_revoked
- ssl_certificate_not_self_signed
- ssl_certificate_secure_private_key
- ssl_certificate_transparent
- ssl_certificate_use_complete_certificate_chain
- ssl_certificate_valid
.inspect net_certificate
Certificate details for a domain.
Name | Type | Description |
---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. |
chain | jsonb | Certificate chain. |
common_name | text | Common name for the certificate. |
country | text | Country for the certificate. |
crl_distribution_points | jsonb | A CRL distribution point (CDP) is a location on an LDAP directory server or Web server where a CA publishes CRLs. |
dns_names | jsonb | DNS names for the certificate. |
domain | text | Domain name the certificate represents. |
email_addresses | jsonb | Email addresses for the certificate. |
ip_address | inet | IP address associated with the domain. |
ip_addresses | jsonb | Array of IP addresses associated with the domain. |
is_ca | boolean | True if the certificate represents a certificate authority. |
issuer | text | Issuer of the certificate. |
issuer_name | text | Common name for the issuer of the certificate. |
issuing_certificate_url | jsonb | List of URLs of the issuing certificates. |
locality | text | Locality of the certificate. |
not_after | timestamp with time zone | Time when the certificate expires. Also see not_before. |
not_before | timestamp with time zone | Time when the certificate is valid from. Also see not_after. |
ocsp | jsonb | Describes OCSP revocation status of the certificate. |
ocsp_servers | jsonb | A list of OCSP URLs that are contacted by all end entity certificates to determine revocation status. |
organization | text | Organization of the certificate. |
ou | jsonb | Organizational Unit of the certificate. |
public_key_algorithm | text | Public key algorithm used by the certificate. |
public_key_length | bigint | Specifies the size of the key. |
revoked | boolean | True if the certificate was revoked. |
serial_number | text | Serial number of the certificate. |
signature_algorithm | text | Signature algorithm of the certificate. |
state | text | State of the certificate. |
subject | text | Subject of the certificate. |
transparent | boolean | True if the certificate is visible in certificate transparency logs. |