Output Format
The plugin outputs a JSON file containing discovered assets, their metadata, and (for public keys/certificates) the PEM-encoded public key body.
Certificate Output Format
{
"type": "cert",
"timestamp": "2025-12-15T12:15:40-05:00",
"urn": "urn:cert:sha256:dbe504b31dfecf6bb7ec13a4b3debae8d145c8ff1c2b3dc7d5969794320e846c",
"url": "https://certhubsourcedestination.vault.azure.net/certificates/autorenew20240818/27f0e041f6ae498393cf5f2bf194d223",
"extra": {
"cert_name": "autorenew20240818",
"exportable": true,
"issuer_name": "Unknown",
"origin": "imported",
"platform_type": "azure",
"purpose": "key_encipherment",
"recovery_level": "Recoverable+Purgeable",
"reuse_key": false,
"status": "enabled",
"tenant_id": "586c621b-e6b8-416e-8f9c-3acba8ec8fe4",
"vault_name": "certhubsourcedestination"
},
"cert_pem": "MIIFIDCCBAigAw..."
}
Public Key Output Format
{
"type": "pubkey",
"timestamp": "2025-12-15T12:15:45-05:00",
"urn": "urn:pubkey:sha256:32f5b4f5d669a0079fa742ee45ef5e6f7d5e9f2ea0eccf0e8264d9869ef1bcc2",
"url": "https://certhubsourcedestination.vault.azure.net/keys/AzureTest02/029ea1d008ac43c89f47df652f4704ab",
"extra": {
"created_date": "2023-06-16T11:12:00-04:00",
"expiration_date": "2026-06-16T11:11:59-04:00",
"exportable": false,
"hsm_protected": false,
"key_version": "029ea1d008ac43c89f47df652f4704ab",
"name": "AzureTest02",
"origin": "azure_keyvault",
"platform_type": "azure",
"purpose": "encrypt_decrypt",
"status": "enabled",
"tenant_id": "586c621b-e6b8-416e-8f9c-3acba8ec8fe4",
"updated_date": "2023-06-16T11:12:00-04:00",
"vault_name": "certhubsourcedestination"
},
"pubkey_pem": "MIIBIjANBgk.."
}
Private Key Output Format
{
"type": "privkey",
"timestamp": "2025-12-15T12:15:59-05:00",
"urn": "urn:privkey:name:damazure:b8819c19e7184dab9dbb0bf026c4b39a",
"url": "https://certhubsourcedestination.vault.azure.net/secrets/damazure/b8819c19e7184dab9dbb0bf026c4b39a",
"extra": {
"content_type": "application/x-pem-file",
"created_date": "2025-09-05T13:19:53-04:00",
"cryptographic_algorithm": "RSA",
"cryptographic_length": 2048,
"expiration_date": "2028-09-05T13:19:48-04:00",
"key_name": "damazure",
"key_version": "b8819c19e7184dab9dbb0bf026c4b39a",
"platform_type": "azure",
"recovery_level": "Recoverable+Purgeable",
"status": "enabled",
"tenant_id": "586c621b-e6b8-416e-8f9c-3acba8ec8fe4",
"updated_date": "2025-09-05T13:19:53-04:00",
"vault_name": "certhubsourcedestination"
}
}
URN Generation: The urn field is generated using a hash of the certificate PEM body for uniqueness and consistency.
Error Output: If an error occurs, the plugin outputs a structured JSON object with error details under data.errorDetails and a summary message in data.errorMessage.
Field Descriptions
type: Asset type -"cert"for certificates,"pubkey"for public keys,"privkey"for private keys,"symkey"for symmetric keys,"secret"for generic secretstimestamp: RFC3339 timestamp of when the scan was performed, in local timezone (e.g.,2024-08-07T10:30:00-07:00for PDT or2024-08-07T17:30:00Zfor UTC)urn: Unique identifier generated from asset content hash or nameurl: Direct link to asset in Azure Portalcert_pem/pubkey_pem: RFC 7468 compliant PEM-encoded certificate or public key (base64 body without headers/footers or newlines)extra: Additional metadata from Azure Key Vault (see Extra Fields section below)
Extra Fields
The extra object contains Azure-specific metadata about the asset. The fields differ based on asset type.
Common Fields (Present in All Asset Types)
The following fields are present across all asset types:
platform_type(string): Always"azure"indicating the asset is from Azure Key Vaultvault_name(string): Name of the Azure Key Vault containing the assetstatus(string): Current asset state (values:"enabled","disabled")created_date(string): ISO 8601 timestamp of when the asset was createdupdated_date(string): ISO 8601 timestamp of last modification
Conditional Common Fields (only present if vault metadata is available):
tenant_id(string): Azure Active Directory tenant IDtenant_name(string): Azure AD tenant namesubscription_id(string): Azure subscription IDsubscription_name(string): Azure subscription nameresource_group(string): Azure resource group namelocation(string): Azure region/location
Certificate-Specific Fields (type: "cert")
In addition to the common fields, certificates include:
cert_name(string): Name/identifier of the certificaterecovery_level(string): Recovery protection level (values:"Recoverable+Purgeable","Recoverable","Purgeable","CustomizedRecoverable+Purgeable","CustomizedRecoverable")issuer_name(string): Name of the certificate issuer (e.g.,"Self","Unknown", or CA name)origin(string): Certificate origin (values:"self_signed","imported","ca_issued")ca_name(string): Certificate Authority name (only present when origin is"ca_issued")exportable(boolean): Whether the certificate's private key can be exportedreuse_key(boolean): Whether the key can be reused for certificate renewalpurpose(string): Comma-separated list of certificate purposes derived from Key Usage and Extended Key Usage (e.g.,"digital_signature, key_encipherment, server_auth, client_auth")
Fallback fields (when certificate body is unavailable):
cert_version(string): Specific version identifier of the certificatenot_after(string): Certificate expiration date (ISO 8601 format)not_before(string): Certificate validity start date (ISO 8601 format)
Note: Key Usage and Extended Key Usage fields are NOT included in extras when cert_pem is present, as they are intrinsic to the certificate and can be parsed from the PEM.
Public Key-Specific Fields (type: "pubkey")
In addition to the common fields, public keys include:
name(string): Key name from Azure Key Vaultkey_version(string): Specific version identifier of the key (UUID format)origin(string): Key origin (value:"azure_keyvault")hsm_protected(boolean): Whether the key is backed by a Hardware Security Moduleexportable(boolean): Whether the key can be exported from the vaultpurpose(string): Key usage purpose (values:"encrypt_decrypt","sign_verify","wrap_unwrap")expiration_date(string): ISO 8601 timestamp of key expiration (only present if set)
Note: Intrinsic cryptographic properties like algorithm type, key length, and curve are NOT included in extras as they can be derived from the pubkey_pem field.
Private Key-Specific Fields (type: "privkey")
In addition to the common fields, private keys include:
key_name(string): Name of the private keykey_version(string): Specific version identifier of the keycontent_type(string): MIME type of the secret content (e.g., "application/x-pem-file")recovery_level(string): Recovery protection levelexpiration_date(string): ISO 8601 timestamp of key expiration (only present if set)
Symmetric Key-Specific Fields (type: "symkey")
In addition to the common fields, symmetric keys include:
key_name(string): Name of the symmetric keykey_version(string): Specific version identifier of the keycontent_type(string): MIME type of the secret contentrecovery_level(string): Recovery protection levelexpiration_date(string): ISO 8601 timestamp of key expiration (only present if set)
Generic Secret-Specific Fields (type: "secret")
In addition to the common fields, generic secrets include:
name(string): Name/identifier of the secretrevision(string): Current version ID of the secretcurrent_version(string): Current version ID of the secret (same as revision)content_type(string): MIME type of the secret contentrecovery_level(string): Recovery protection levelexpiration_date(string): ISO 8601 timestamp of secret expiration (only present if set)
Note: Azure Key Vault doesn't expose rotation policies via SDK for secrets, so rotation information is not included.