turbot/net

GitHub
steampipe plugin install netsteampipe plugin install net

Table: net_certificate

Certificate details for a domain.

Note: A domain must be provided in all queries to this table.

Examples

Certificate information

select
*
from
net_certificate
where
domain = 'steampipe.io';

Time until the certificate expires

select
domain,
AGE(not_after, current_timestamp) as time_until_expiration
from
net_certificate
where
domain = 'steampipe.io';

Check if the certificate is currently valid

select
domain,
not_before,
not_after
from
net_certificate
where
domain = 'steampipe.io'
and not_before < current_timestamp
and not_after > current_timestamp;

Check if the certificate was revoked by the CA

select
domain,
not_before,
not_after
from
net_certificate
where
domain = 'steampipe.io'
and revoked;

Check certificate revocation status with OCSP

select
domain,
ocsp ->> 'status' as revocation_status,
ocsp ->> 'revoked_at' as revoked_at
from
net_certificate
where
domain = 'steampipe.io';

Check if certificate using insecure algorithm (e.g., MD2, MD5, SHA1)

select
domain,
not_before,
not_after,
signature_algorithm
from
net_certificate
where
domain = 'steampipe.io'
and signature_algorithm like any (array [ '%SHA1%', '%MD2%', '%MD5%' ]);

Query examples

Control examples

.inspect net_certificate

Certificate details for a domain.

NameTypeDescription
_ctxjsonbSteampipe context in JSON form, e.g. connection_name.
chainjsonbCertificate chain.
common_nametextCommon name for the certificate.
countrytextCountry for the certificate.
crl_distribution_pointsjsonbA CRL distribution point (CDP) is a location on an LDAP directory server or Web server where a CA publishes CRLs.
dns_namesjsonbDNS names for the certificate.
domaintextDomain name the certificate represents.
email_addressesjsonbEmail addresses for the certificate.
ip_addressinetIP address associated with the domain.
ip_addressesjsonbArray of IP addresses associated with the domain.
is_cabooleanTrue if the certificate represents a certificate authority.
issuertextIssuer of the certificate.
issuer_nametextCommon name for the issuer of the certificate.
issuing_certificate_urljsonbList of URLs of the issuing certificates.
localitytextLocality of the certificate.
not_aftertimestamp with time zoneTime when the certificate expires. Also see not_before.
not_beforetimestamp with time zoneTime when the certificate is valid from. Also see not_after.
ocspjsonbDescribes OCSP revocation status of the certificate.
ocsp_serversjsonbA list of OCSP URLs that are contacted by all end entity certificates to determine revocation status.
organizationtextOrganization of the certificate.
oujsonbOrganizational Unit of the certificate.
public_key_algorithmtextPublic key algorithm used by the certificate.
public_key_lengthbigintSpecifies the size of the key.
revokedbooleanTrue if the certificate was revoked.
serial_numbertextSerial number of the certificate.
signature_algorithmtextSignature algorithm of the certificate.
statetextState of the certificate.
subjecttextSubject of the certificate.
transparentbooleanTrue if the certificate is visible in certificate transparency logs.