Output Format

Certificate Results

The plugin generates certificate scan results in standardized format:

{
   "type": "cert",
    "timestamp": "2025-12-10T22:04:02+05:30",
    "urn": "urn:cert:sha256:d4db1d3029b6d4bfb66b3cbca043c83d90bb6caae35a02b3d8ee62b64a8ce2a6",
    "url": "https://10.1.127.26:443",
    "cert_pem": "MIIFODCCBCC....",
    "endpoint": {
      "host": "10.1.127.26",
      "port": 443,
      "service": "http",
      "service_vendor": "nginx",
      "service_vendor_version": "1.18.0",
      "cipher_suites": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, ...."
    }
}

Output Fields

Field

Description

type

Asset type (cert for certificates, pubkey for asymmetric keys, symkey for symmetric keys, secret for KV secrets)

timestamp

RFC3339 timestamp of when the scan was performed

urn

Unique resource name based on asset type (SHA256 hash for certificates/public keys, name-based for symmetric keys/secrets)

url

Direct link to Vault UI for the asset

cert_pem

Base64-encoded certificate (PEM without headers/footers) - certificates only

endpoint

object

Endpoint Fields

Field

Type

Description

host

string

Host address or hostname where the certificate was discovered

port

integer

Port number where the certificate was discovered (1-65535)

service

string

Detected service type (e.g., http, https, smtp, imap, pop3, ldap, ftp, ssh)

service_vendor

string

Detected service vendor (e.g., nginx, Apache, OpenSSH, Postfix, IIS)

service_vendor_version

string

Detected service vendor version (e.g., 1.18.0, 2.4.41)

cipher_suites

string

Comma-separated list of supported SSL/TLS cipher suites detected by ssl-enum-ciphers script

Note: The service, service_vendor, service_vendor_version, and cipher_suites fields are optional and populated when nmap successfully detects the service information.