Certificates Field Reference
May 22, 2025
The Certificates Collection contains parsed X.509 certificates collected both during internet-wide scanning and from publicly available Certificate Transparency Logs. It provides metadata about issuers, subjects, expiration dates, and subject alternative names (SANs).
| Property | Description |
|---|---|
| Document | Each document represents an individual SSL/TLS certificate. |
| Unique Identifier | One of the fingerprint fields can serve as a unique identifier: - certificate.fingerprint_md5- certificate.fingerprint_sha1- certificate.fingerprint_sha256. |
| Default Fields | - certificate.subject_dn- certificate.subject.common_name- certificate.subject.organization- certificate.extensions.subject_alt_name.dns_names- certificate.names |
Use field.keyword for exact match searching
Many certificate fields have type TEXT. To perform exact match searches on these fields, use the .keyword subfield.
Refer to the Search Query Language article to learn more about the difference between full-text and exact match searches.
Cert Fields
Parsed metadata extracted from X.509 certificates.
These fields include issuer and subject details, validity period, key usage, signature algorithm, fingerprint hashes, extensions, and compliance-related attributes.
certificate.chain
Parsed fields from each certificate in the chain (including intermediates).
Structure is identical to the root certificate object.
Field type: OBJECT
certificate.extensions
Parsed X.509 certificate extensions.
These fields represent optional metadata that provides additional information about how the certificate should be used, what constraints apply to it, who issued it, and what services it supports.
Common extensions include Subject Alternative Names (SANs), key usage, certificate policies, OCSP/CRL endpoints, and various extended key usages for web, email, VPN, or document signing.
Field type: OBJECT
Usage in queries:
-
Code signing certificates issued by Apple:
-
Government certificates used for encrypting user data:
-
RSA Security signing certificates:
-
Certificates used for various Microsoft technologies issued by Microsoft:
-
Time-stamp service certifiacates:
certificate.fingerprint_md5
MD5 fingerprint of the certificate in hexadecimal format, stored as a lowercase string.
Field type: TEXT
Examples: c33979ff8bc19a94820d6804b3681881
Usage in queries:
certificate.fingerprint_sha1
SHA-1 fingerprint of the certificate in hexadecimal format, stored as a lowercase string.
Field type: TEXT
Examples: 310db7af4b2bc9040c8344701aca08d0c69381e3
Usage in queries:
certificate.fingerprint_sha256
SHA-256 fingerprint of the certificate in hexadecimal format, stored as a lowercase string.
Field type: TEXT
Examples: 455943cf819425761d1f950263ebf54755d8d684c25535943976f488bc79d23b
Usage in queries:
certificate.issuer
Distinguished Name (DN) of the certificate issuer, split into structured fields.
The structure is identical to the subject field. Please note that all subfields are optional.
Field type: OBJECT
Usage in queries:
certificate.issuer_dn
Raw Distinguished Name (DN) string of the certificate issuer.
Field type: TEXT
Examples: C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
Usage in queries:
certificate.names
List of all names found in the certificate CN and SAN fields (certificate.extensions.subject_alt_name).
Field type: TEXT
Examples: *.example.com, example.com
Usage in queries:
- Full-text search for any part of name.
- Exact match for name.
certificate.redacted
Whether the certificate contains redacted (withheld) fields for privacy.
Field type: BOOLEAN
Examples: True, False
certificate.serial_number
Serial number of the certificate as issued by the CA.
Field type: TEXT
Examples: 14416812407440461216471976375640436634
certificate.signature.self_signed
Indicates whether the certificate is self-signed (i.e., issued by the same entity it is assigned to).
Self-signed certificates are usually used in root CAs or testing environments.
Field type: BOOLEAN
Examples: True, False
certificate.signature.signature_algorithm.name
Human-readable name of the signature algorithm used to sign the certificate.
Field type: TEXT
Examples: ECDSA-SHA384, SHA256-RSA
certificate.signature.signature_algorithm.oid
Object Identifier (OID) of the signature algorithm, defined by ASN.1 standard.
Field type: TEXT
Examples: 1.2.840.10045.4.3.3, 1.2.840.113549.1.1.11
certificate.signature.valid
Indicates whether the certificate's digital signature is cryptographically valid. This does not imply trust — it only means the signature can be verified.
Field type: BOOLEAN
Examples: True, False
certificate.signature.value
The raw base64-encoded signature value from the certificate. This field can be used for low-level cryptographic inspection or fingerprinting.
Field type: TEXT
Examples: MGUCMQD5poJGU9tv5Vj67hq8/Jobt+9QMmo3wrCWtcPhem1PtAv4PTf4ED8VQSjd0PWLPfsCMGRjeOGy4sBbulawNu1f9DDGnqQ2wriOHX9GO9X/brSzFDAz8Yzu3T5PS4/Yv5jXZQ==
certificate.spki_subject_fingerprint
SHA-256 fingerprint of the Subject Public Key Info block.
Field type: TEXT
certificate.src
Source of the certificate data, URI.
Field type: TEXT
Examples:
https://195.52.146.178:443/mysql://49.13.170.178:3306raw://34.29.76.236:9100
certificate.subject
Distinguished Name (DN) of the certificate subject, split into structured fields.
These fields represent the entity the certificate was issued to, such as a company, organization, or individual. Please note that all subfields are optional.
Field type: OBJECT
certificate.subject.common_name
Common Name (CN) of the subject, typically a domain name (e.g., example.com) or individual’s name.
Field type: TEXT
Examples: example.com, *.example.com
certificate.subject.country
Country of the subject, represented as a 2-digit code, following the ISO 3166-1 alpha-2 standard.
Field type: TEXT
Examples: US, DE
certificate.subject.domain_component
Components of the domain name represented in LDAP-style DNs (e.g., dc=example).
In practice, many certificates use domain_component for internal identifiers, local domains, or custom naming conventions.
Field type: TEXT
Examples:
localdomainXCLOUDCERT
certificate.subject.email_address
Email address associated with the subject, if provided in the DN.
Field type: TEXT
Examples: [email protected]
certificate.subject.given_name
Given name (first name) of the subject, when the certificate is issued to a person.
Field type: TEXT
Examples: John
certificate.subject.jurisdiction_country
Country where the subject is legally registered, used in EV certificates.
Represented as a 2-digit code, following the ISO 3166-1 alpha-2 standard
Field type: TEXT
Examples: US, DE
certificate.subject.jurisdiction_locality
City or locality of legal jurisdiction for the subject in EV certificates.
Field type: TEXT
Examples: Paris, Köln, 北京
certificate.subject.jurisdiction_province
State or province of legal jurisdiction for the subject in EV certificates.
Field type: TEXT
Examples:
New YorkMoscowZürich
certificate.subject.locality
City or locality of the subject’s address.
Field type: TEXT
Examples: Los Angeles, Paris, Shenzhen
certificate.subject.organization
Legal organization or company name the certificate was issued to.
Field type: TEXT
Examples:
Internet Corporation for Assigned Names and NumbersACME Co
Usage in queries:
certificate.subject.organization_id
Unique organization identifier (e.g., business registration number), sometimes used in EV certificates.
Field type: TEXT
Examples: VATES-P4700000E, DE123456789
certificate.subject.organizational_unit
Division or department within the organization, such as IT or Security.
Field type: TEXT
Examples: IT Department, Security Team
certificate.subject.postal_code
Postal code or ZIP code of the subject’s address.
Field type: TEXT
certificate.subject.province
State or province of the subject’s address.
Field type: TEXT
certificate.subject.serial_number
Identifier assigned by the issuing organization to distinguish entities with the same name.
Field type: TEXT
Examples:
C08065920100-01-008840
certificate.subject.street_address
Street-level address of the subject.
Field type: TEXT
certificate.subject.surname
Last name (family name) of the subject, when issued to an individual.
Field type: TEXT
Examples: Doe
certificate.subject_dn
Raw Distinguished Name (DN) string of the certificate subject.
Field type: TEXT
Examples: C=US, ST=California, L=Los Angeles, O=Internet Corporation for Assigned Names and Numbers, CN=*.example.com
Usage in queries:
certificate.tbs_fingerprint
SHA-256 fingerprint of the To-Be-Signed (TBS) portion of the certificate.
Field type: TEXT
certificate.tbs_noct_fingerprint
SHA-256 fingerprint of the TBS block with no certificate transparency data.
Field type: TEXT
certificate.unknown_extensions
Extensions found in the certificate that do not match any recognized OID or parsing schema.
These fields are preserved as-is and include a critical flag, raw identifier, and raw value. Useful for advanced analysis or future-proofing when dealing with custom or proprietary extensions.
Field type: OBJECT
certificate.validation_level
There are three types of certificates depending on the number of validation steps during the certificate issuance procedure:
- Domain Validated (
DV) certificates provide the lowest level of authentication and poor certificate content. - Organization Validated (
OV) certificates provide additional checks during the issuance procedure, these certificates contain more information about the subject, e.g. name of the organization. - Extended Validation (
EV) certificates are the most trusted ones and contain maximum information about the subject.
Field type: TEXT
Examples: DV, OV, EV
Usage in queries:
certificate.validity.end
The expiration date of the certificate — the last moment it is considered valid. After this date, clients will reject the certificate as expired.
Field type: DATE
Examples: 2026-12-31T23:59:59Z
Usage in queries:
Certs expires in May, 2023:
certificate.validity.length
Total duration of the certificate’s validity period, measured in seconds.
Calculated as end - start.
Field type: LONG
Examples: 31536000
certificate.validity.start
The date from which the certificate becomes valid and can be used. Clients may reject certificates with a future start date.
Field type: DATE
Examples: 2023-01-01T00:00:00Z
Usage in queries:
certificate.version
The version of the X.509 standard that the certificate follows (usually 3). It indicates the structure and features that the certificate supports.
Field type: LONG
Examples: 1, 2, 3
Service Fields
Internal metadata about the document lifecycle in the Netlas platform.
@timestamp
The timestamp when the cerificate was indexed.
Field type: DATE
Examples:
2023-01-01T12:00:00Z2023-10-15T08:30:00Z
Usage in queries:
last_updated
The timestamp indicating when the document was last updated. This field is no longer in use as a new index is created for each scan cycle.
Field type: DATE