Table: net_certificate
Certificate details for a domain.
Note: A domain must be provided in all queries to this table.
Examples
Certificate information
select *from net_certificatewhere domain = 'steampipe.io';Time until the certificate expires
select domain, AGE(not_after, current_timestamp) as time_until_expirationfrom net_certificatewhere domain = 'steampipe.io';Check if the certificate is currently valid
select domain, not_before, not_afterfrom net_certificatewhere domain = 'steampipe.io' and not_before < current_timestamp and not_after > current_timestamp;Check if the certificate was revoked by the CA
select domain, not_before, not_afterfrom net_certificatewhere domain = 'steampipe.io' and revoked;Check certificate revocation status with OCSP
select domain, ocsp ->> 'status' as revocation_status, ocsp ->> 'revoked_at' as revoked_atfrom net_certificatewhere domain = 'steampipe.io';Check if certificate using insecure algorithm (e.g., MD2, MD5, SHA1)
select domain, not_before, not_after, signature_algorithmfrom net_certificatewhere domain = 'steampipe.io' and signature_algorithm like any (array [ '%SHA1%', '%MD2%', '%MD5%' ]);Query examples
- ssl_additional_certificate_record
- ssl_certificate_record
- ssl_certificate_report
- ssl_server_configuration_checks
Control examples
- ssl_certificate_avoid_too_much_security
- ssl_certificate_check_for_reliable_ca
- ssl_certificate_domain_name_mismatch
- ssl_certificate_multiple_hostname
- ssl_certificate_no_insecure_signature
- ssl_certificate_not_expired
- ssl_certificate_not_revoked
- ssl_certificate_not_self_signed
- ssl_certificate_secure_private_key
- ssl_certificate_transparent
- ssl_certificate_use_complete_certificate_chain
- ssl_certificate_valid
.inspect net_certificate
Certificate details for a domain.
| Name | Type | Description |
|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. |
| chain | jsonb | Certificate chain. |
| common_name | text | Common name for the certificate. |
| country | text | Country for the certificate. |
| crl_distribution_points | jsonb | A CRL distribution point (CDP) is a location on an LDAP directory server or Web server where a CA publishes CRLs. |
| dns_names | jsonb | DNS names for the certificate. |
| domain | text | Domain name the certificate represents. |
| email_addresses | jsonb | Email addresses for the certificate. |
| ip_address | inet | IP address associated with the domain. |
| ip_addresses | jsonb | Array of IP addresses associated with the domain. |
| is_ca | boolean | True if the certificate represents a certificate authority. |
| issuer | text | Issuer of the certificate. |
| issuer_name | text | Common name for the issuer of the certificate. |
| issuing_certificate_url | jsonb | List of URLs of the issuing certificates. |
| locality | text | Locality of the certificate. |
| not_after | timestamp with time zone | Time when the certificate expires. Also see not_before. |
| not_before | timestamp with time zone | Time when the certificate is valid from. Also see not_after. |
| ocsp | jsonb | Describes OCSP revocation status of the certificate. |
| ocsp_servers | jsonb | A list of OCSP URLs that are contacted by all end entity certificates to determine revocation status. |
| organization | text | Organization of the certificate. |
| ou | jsonb | Organizational Unit of the certificate. |
| public_key_algorithm | text | Public key algorithm used by the certificate. |
| public_key_length | bigint | Specifies the size of the key. |
| revoked | boolean | True if the certificate was revoked. |
| serial_number | text | Serial number of the certificate. |
| signature_algorithm | text | Signature algorithm of the certificate. |
| state | text | State of the certificate. |
| subject | text | Subject of the certificate. |
| transparent | boolean | True if the certificate is visible in certificate transparency logs. |