Output Format

Certificate Scan Results

Each discovered certificate generates a result with the following structure:

{
     "type": "cert",
    "timestamp": "2025-12-15T12:18:07-05:00",
    "urn": "urn:cert:sha256:302595b8e1a7d6a1baa33577a22ddd64b6c07e5846117bbd22ebb07727f11e75",
    "url": "https://console.cloud.google.com/security/ccm/list/lbCertificates?project=gcp-project-corp-dev-discovery",
    "extra": {
      "create_time": "2025-11-17T20:26:42.777178748Z",
      "description": "",
      "location": "global",
      "name": "projects/gcp-project-corp-dev-discovery/locations/global/certificates/test2",
      "origin": "imported",
      "platform_type": "gcp",
      "project_id": "gcp-project-corp-dev-discovery",
      "self_managed": {
        "has_pem_certificate": false,
        "has_pem_private_key": false
      },
      "update_time": "2025-11-18T02:31:08.609078336Z"
    },
    "cert_pem": "MIID0TCCA...."
  
}```

### Certificate Scan Results without Cert PEM

```json
{
    "type": "cert",
    "timestamp": "2025-12-15T12:18:07-05:00",
    "urn": "urn:cert:gcp:projects/gcp-project-corp-dev-discovery/locations/global/certificates/testcert",
    "url": "https://console.cloud.google.com/security/ccm/list/lbCertificates?project=gcp-project-corp-dev-discovery",
    "extra": {
      "create_time": "2025-11-17T20:00:16.553991295Z",
      "description": "",
      "location": "global",
      "managed": {
        "authorization_attempt_info": [
          {
            "domain": "www.example.com",
            "state": "authorizing"
          }
        ],
        "dns_authorizations": null,
        "domains": [
          "www.example.com"
        ],
        "issuance_config": "",
        "provisioning_issue": {
          "reason": "authorization_issue"
        },
        "state": "provisioning"
      },
      "name": "projects/gcp-project-corp-dev-discovery/locations/global/certificates/testcert",
      "origin": "gcp_created",
      "platform_type": "gcp",
      "project_id": "gcp-project-corp-dev-discovery",
      "subject_alternative_names": [
        "www.example.com"
      ],
      "update_time": "2025-11-18T02:31:08.415811203Z"
    },
    "cert_pem": ""
}

Output Fields

Field

Description

Present For

type

Always "cert" for certificate assets

All certificates

timestamp

RFC3339 timestamp of when the scan was performed

All certificates

urn

Unique resource identifier based on certificate fingerprint or resource name

All certificates

url

Direct link to GCP Console

All certificates

cert_pem

Base64-encoded certificate (PEM without headers/footers)

Self-managed only (empty for Google-managed)

extra

Additional metadata (see Extra Fields section below)

All certificates

Extra Fields

The extra object contains GCP-specific metadata about the certificate.

Common Fields (Present in All Certificates)

  • name (string): Full GCP resource name (e.g., "projects/my-project/locations/global/certificates/my-cert")
  • origin (string): Source of certificate (values: "imported", "gcp_created")
  • create_time (string): ISO 8601 timestamp of when the certificate was created in GCP
  • update_time (string): ISO 8601 timestamp of last update
  • description (string): User-provided description of the certificate
  • project_id (string): GCP project ID containing the certificate
  • region (string): GCP region or location (empty string for global certificates)

Conditional Common Fields

  • labels (object): Key-value pairs of user-defined labels (only present if labels exist)
  • scope (string): Certificate scope (values: "default", "edge_cache", "all_regions") (only present if scope is set)

Fallback Fields (When cert_pem is Empty)

These fields are only included when the certificate PEM is not available (typically for Google-managed certificates in provisioning state):

  • not_after (string): Certificate expiration date (ISO 8601 format)
  • subject_alternative_names (array of strings): List of Subject Alternative Names (DNS names)

Note: These fields are NOT included when cert_pem is present, as they are intrinsic to the certificate and can be parsed from the PEM.

Self-Managed Certificate Fields

For imported/self-managed certificates (origin: "imported"), the following additional field is included:

  • self_managed (object): Information about self-managed certificate
    • has_pem_certificate (boolean): Whether a PEM certificate is present
    • has_pem_private_key (boolean): Whether a PEM private key is present (not retrieved by plugin)

Google-Managed Certificate Fields

For Google-managed certificates (origin: "gcp_created"), the following additional field is included:

  • managed (object): Information about Google-managed certificate provisioning
    • domains (array of strings): List of domains covered by the certificate
    • dns_authorizations (array of strings): DNS authorization resource names used for domain validation
    • issuance_config (string): Certificate issuance configuration resource name
    • state (string): Current provisioning state (values: "active", "provisioning", "failed")
    • authorization_attempt_info (array of objects): Authorization attempt details for each domain
      • domain (string): Domain being authorized (lowercase)
      • state (string): Authorization state (lowercase, e.g., "authorizing", "authorized", "failed")
      • details (string): Additional details about authorization (lowercase)
      • failure_reason (string): Reason for authorization failure if applicable (lowercase)
    • provisioning_issue (object): Information about provisioning issues if any
      • reason (string): Reason for provisioning failure (lowercase, e.g., "authorization_issue", "rate_limited")
      • details (string): Additional details about the issue (lowercase)

Note: All string values in the managed object are converted to lowercase for consistency.