Output Format

Certificate Scan Results

The plugin generates certificate scan results in the following standardized format:

{
    "type": "cert",
    "timestamp": "2025-12-15T16:18:46-05:00",
    "urn": "urn:cert:sha256:9b33a57a6e9e9416a24e5e7748912b96e87c1990aab1e7ea60eeb303293c1a0a",
    "url": "https://console.aws.amazon.com/acm/home?region=us-east-1#/?id=arn:aws:acm:us-east-1:558162184545:certificate/1275ea29-2cbb-4ff4-98f2-e1cc6196e9d8",
    "extra": {
      "account_id": "558162184545",
      "arn": "arn:aws:acm:us-east-1:558162184545:certificate/1275ea29-2cbb-4ff4-98f2-e1cc6196e9d8",
      "options": {
        "cert_transparency_logging_preference": "disabled"
      },
      "origin": "imported",
      "platform_type": "aws",
      "region": "us-east-1",
      "renewal_eligibility": "ineligible",
      "status": "issued"
    },
    "cert_pem": "MIIDizCC......"
  
}

When Certificate Body Is Unavailable

{
    "type": "cert",
    "timestamp": "2025-12-15T16:18:45-05:00",
    "urn": "urn:cert:arn:arn:aws:acm:us-east-1:558162184545:certificate/b9464c90-29f8-4d88-bb18-71dcaa3e031f",
    "url": "https://console.aws.amazon.com/acm/home?region=us-east-1#/?id=arn:aws:acm:us-east-1:558162184545:certificate/b9464c90-29f8-4d88-bb18-71dcaa3e031f",
    "extra": {
      "account_id": "558162184545",
      "arn": "arn:aws:acm:us-east-1:558162184545:certificate/b9464c90-29f8-4d88-bb18-71dcaa3e031f",
      "domain_name": "*.example.com",
      "issuer": "Amazon",
      "options": {
        "cert_transparency_logging_preference": "enabled"
      },
      "origin": "amazon_issued",
      "platform_type": "aws",
      "public_key_algorithm": "RSA-2048",
      "region": "us-east-1",
      "renewal_eligibility": "ineligible",
      "signature_algorithm": "SHA256WITHRSA",
      "status": "failed",
      "subject": "CN=*.example.com",
      "subject_alternative_names": [
        "*.example.com"
      ]
    },
    "cert_pem": ""
  
}

URN Generation: The urn field is generated using a hash of the certificate PEM body for uniqueness and consistency.

Error Output: If an error occurs, the plugin outputs a structured JSON object with error details under data.errorDetails and a summary message in data.errorMessage.

Field Descriptions

  • type: Always "cert" for certificate assets
  • timestamp: RFC3339 timestamp of when the scan was performed, in local timezone (e.g., 2024-08-07T10:30:00-07:00 for PDT or 2024-08-07T17:30:00Z for UTC)
  • urn: Unique identifier generated from certificate SHA-256 hash
  • url: Direct link to certificate in AWS Console
  • certPem: RFC 7468 compliant PEM-encoded certificate (base64 body without headers/footers)
  • extra: Additional metadata from ACM (see Extra Fields section below)

Extra Fields

The extra object contains AWS-specific metadata about the certificate. The following fields are included:

Standard Fields (Always Included)

  • platform_type (string): Always "aws" indicating the certificate is from AWS Certificate Manager
  • renewal_eligibility (string): Whether the certificate is eligible for renewal (values: "eligible", "ineligible")
  • options (object): Certificate configuration options
    • cert_transparency_logging_preference (string): Certificate transparency logging preference (values: "enabled", "disabled")
  • account_id (string): AWS account ID extracted from the certificate ARN. Empty string if extraction fails
  • region (string): AWS region where the certificate is stored (e.g., "us-east-1")
  • arn (string): Full AWS ARN of the certificate (e.g., "arn:aws:acm:us-east-1:123456789012:certificate/abcd-1234")
  • status (string): Current certificate status (values: "issued", "pending_validation", "failed", "expired", "revoked", "inactive")
  • origin (string): Certificate type/origin (values: "amazon_issued", "imported")

Fallback Fields (When Certificate Body Is Unavailable)

When the certificate body cannot be retrieved via GetCertificate, the following additional fields are populated from DescribeCertificate metadata:

  • issuer (string): Certificate issuer distinguished name
  • subject (string): Certificate subject distinguished name
  • public_key_algorithm (string): Public key algorithm type (e.g., "RSA_2048", "EC_prime256v1")
  • signature_algorithm (string): Signature algorithm used
  • subject_alternative_names (array of strings): List of Subject Alternative Names (SANs)
  • serial_number (string): Certificate serial number
  • not_after (string): Certificate expiration date (RFC3339 format)
  • not_before (string): Certificate validity start date (RFC3339 format)

Note: All status, origin, and preference values are converted to lowercase for consistency.