All X.509 Certificates
This schema outlines the fields available in Censys BigQuery All X.509 Certificates tables.
Certificates
| Path | Type | Repeated | Docs |
|---|---|---|---|
| added_at | TIMESTAMP | No | When the certificate was added to the Censys dataset. |
| ct | SubRecord | No | |
| ct.entries | SubRecord | Yes | |
| ct.entries.key | STRING | No | |
| ct.entries.value | SubRecord | No | |
| ct.entries.value.added_to_ct_at | TIMESTAMP | No | An RFC-3339-formatted timestamp indicating when the certificate was entered into the CT log. |
| ct.entries.value.ct_to_censys_at | TIMESTAMP | No | An RFC-3339-formated timestamp indicating when the certificate was ingested from the CT log into the Censys dataset. |
| ct.entries.value.index | INTEGER | No | Numerical marker of the certificate's place in the CT log. |
| ever_seen_in_scan | BOOLEAN | No | Whether the certificate has ever been presented by a service during a scan. |
| fingerprint_md5 | BYTES | No | The MD-5 digest of the entire raw certificate. An identifier used by some systems. |
| fingerprint_sha1 | BYTES | No | The SHA-1 digest of the entire raw certificate. An identifier used by some systems. |
| fingerprint_sha256 | BYTES | No | The SHA-256 digest of the entire raw certificate. Its unique identifier, which Censys uses to index certificates records. |
| inserted_at | TIMESTAMP | No | |
| labels | STRING | Yes | |
| modified_at | TIMESTAMP | No | When the certificate record was last modified. |
| names | STRING | Yes | All the names contained in the certificate from various fields. |
| not_valid_after | TIMESTAMP | No | |
| parent_spki_subject_fingerprint_sha256 | BYTES | No | The SHA-256 digest of the parent certificate's DER-encoded SubjectPublicKeyInfo concatenated with its Subject. |
| parse_status | STRING | No | |
| parsed | SubRecord | No | A record containing all of the data parsed from the certificate. |
| parsed.extensions | SubRecord | No | A record containing parsed X.509 extensions that provide additional identification information or additional cryptographic capabilities. |
| parsed.extensions.authority_info_access | SubRecord | No | The parsed id-pe-authorityInfoAccess extension (OID: 1.3.6.1.5.7.1.1). Only id-ad-caIssuers and id-ad-ocsp accessMethods are supported; others are omitted. |
| parsed.extensions.authority_info_access.issuer_urls | STRING | Yes | |
| parsed.extensions.authority_info_access.ocsp_urls | STRING | Yes | |
| parsed.extensions.authority_key_id | BYTES | No | A key identifier, usually a digest of the DER-encoded SubjectPublicKeyInfo. |
| parsed.extensions.basic_constraints | SubRecord | No | The parsed id-ce-basicConstraints extension (OID: 2.5.29.19). |
| parsed.extensions.basic_constraints.is_ca | BOOLEAN | No | Whether the certificate is permitted to sign other certificates. |
| parsed.extensions.basic_constraints.max_path_len | INTEGER | No | When present, provides the maximum number of intermediate certificates that may follow this certificate in a trusted certification path. |
| parsed.extensions.cabf_organization_id | SubRecord | No | CA/Browser Forum organization ID extensions (OID: 2.23.140.3.1). |
| parsed.extensions.cabf_organization_id.country | STRING | No | |
| parsed.extensions.cabf_organization_id.reference | STRING | No | |
| parsed.extensions.cabf_organization_id.scheme | STRING | No | |
| parsed.extensions.cabf_organization_id.state | STRING | No | |
| parsed.extensions.certificate_policies | SubRecord | Yes | The parsed id-ce-certificatePolicies extension (OID: 2.5.29.32). |
| parsed.extensions.certificate_policies.cps | STRING | Yes | |
| parsed.extensions.certificate_policies.id | STRING | No | |
| parsed.extensions.certificate_policies.user_notice | SubRecord | Yes | |
| parsed.extensions.certificate_policies.user_notice.explicit_text | STRING | No | |
| parsed.extensions.certificate_policies.user_notice.notice_reference | SubRecord | No | |
| parsed.extensions.certificate_policies.user_notice.notice_reference.notice_numbers | INTEGER | Yes | |
| parsed.extensions.certificate_policies.user_notice.notice_reference.organization | STRING | No | |
| parsed.extensions.crl_distribution_points | STRING | Yes | The parsed id-ce-cRLDistributionPoints extension (OID: 2.5.29.31). Contents are a list of distributionPoint URLs; other distributionPoint types are omitted). |
| parsed.extensions.ct_poison | BOOLEAN | No | Whether the certificate possesses the pre-certificate "poison" extension (OID: 1.3.6.1.4.1.11129.2.4.3). |
| parsed.extensions.extended_key_usage | SubRecord | No | The parsed id-ce-extKeyUsage extension (OID: 2.5.29.37). |
| parsed.extensions.extended_key_usage.any | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_code_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_code_signing_development | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_code_signing_third_party | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_development_env | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_env | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_maintenance_env | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_production_env | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_qos | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_test_env | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_tier0_qos | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_tier1_qos | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_tier2_qos | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_crypto_tier3_qos | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_ichat_encryption | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_ichat_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_resource_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_software_update_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.apple_system_identity | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.client_auth | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.code_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.dvcs | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.eap_over_lan | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.eap_over_ppp | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.email_protection | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.ipsec_end_system | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.ipsec_intermediate_system_usage | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.ipsec_tunnel | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.ipsec_user | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_ca_exchange | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_cert_trust_list_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_csp_signature | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_document_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_drm | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_drm_individualization | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_efs_recovery | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_embedded_nt_crypto | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_encrypted_file_system | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_enrollment_agent | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_kernel_mode_code_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_key_recovery_21 | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_key_recovery_3 | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_license_server | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_licenses | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_lifetime_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_mobile_device_software | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_nt5_crypto | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_oem_whql_crypto | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_qualified_subordinate | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_root_list_signer | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_server_gated_crypto | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_sgc_serialized | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_smart_display | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_smartcard_logon | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_system_health | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_system_health_loophole | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_timestamp_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.microsoft_whql_crypto | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.netscape_server_gated_crypto | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.ocsp_signing | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.sbgp_cert_aa_service_auth | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.server_auth | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.time_stamping | BOOLEAN | No | |
| parsed.extensions.extended_key_usage.unknown | STRING | Yes | |
| parsed.extensions.issuer_alt_name | SubRecord | No | The parsed id-ce-issuerAltName extension (OID: 2.5.29.18). |
| parsed.extensions.issuer_alt_name.directory_names | SubRecord | Yes | The parsed directoryName entries in the GeneralName. |
| parsed.extensions.issuer_alt_name.directory_names.common_name | STRING | Yes | The commonName (CN) elements of the Distinguished Name (OID: 2.5.4.3). |
| parsed.extensions.issuer_alt_name.directory_names.country | STRING | Yes | The countryName (C) elements of the Distinguished Name (OID: 2.5.4.6). |
| parsed.extensions.issuer_alt_name.directory_names.domain_component | STRING | Yes | The domainComponent (DC) elements of the Distinguished Name (OID: 0.9.2342.19200300.100.1.25). |
| parsed.extensions.issuer_alt_name.directory_names.email_address | STRING | Yes | The emailAddress (E) elements of the Distinguished Name (OID: 1.2.840.113549.1.9.1). |
| parsed.extensions.issuer_alt_name.directory_names.given_name | STRING | Yes | The givenName (G) elements of the Distinguished Name (OID: 2.5.4.42). |
| parsed.extensions.issuer_alt_name.directory_names.jurisdiction_country | STRING | Yes | The jurisdictionCountry elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.3). |
| parsed.extensions.issuer_alt_name.directory_names.jurisdiction_locality | STRING | Yes | The jurisdictionLocality elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.1). |
| parsed.extensions.issuer_alt_name.directory_names.jurisdiction_province | STRING | Yes | The jurisdictionStateOrProvince elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.2). |
| parsed.extensions.issuer_alt_name.directory_names.locality | STRING | Yes | The localityName (L) elements of the Distinguished Name (OID: 2.5.4.7). |
| parsed.extensions.issuer_alt_name.directory_names.organization | STRING | Yes | The organizationName (O) elements of the Distinguished Name (OID: 2.5.4.10). |
| parsed.extensions.issuer_alt_name.directory_names.organization_id | STRING | Yes | |
| parsed.extensions.issuer_alt_name.directory_names.organizational_unit | STRING | Yes | The organizationalUnit (OU) elements of the Distinguished Name (OID: 2.5.4.11). |
| parsed.extensions.issuer_alt_name.directory_names.postal_code | STRING | Yes | The postalCode elements of the Distinguished Name (OID: 2.5.4.17). |
| parsed.extensions.issuer_alt_name.directory_names.province | STRING | Yes | The stateOrProvinceName (ST) elements of the Distinguished Name (OID: 2.5.4.8). |
| parsed.extensions.issuer_alt_name.directory_names.serial_number | STRING | Yes | The serialNumber elements of the Distinguished Name (OID: 2.5.4.5). |
| parsed.extensions.issuer_alt_name.directory_names.street_address | STRING | Yes | The streetAddress (STREET) elements of the Distinguished Name (OID: 2.5.4.9). |
| parsed.extensions.issuer_alt_name.directory_names.surname | STRING | Yes | The surname (SN) elements of the Distinguished Name (OID: 2.5.4.4). |
| parsed.extensions.issuer_alt_name.dns_names | STRING | Yes | The parsed dNSName entries in the GeneralName. |
| parsed.extensions.issuer_alt_name.edi_party_names | SubRecord | Yes | The parsed eDIPartyName entries in the GeneralName. |
| parsed.extensions.issuer_alt_name.edi_party_names.name_assigner | STRING | No | |
| parsed.extensions.issuer_alt_name.edi_party_names.party_name | STRING | No | |
| parsed.extensions.issuer_alt_name.email_addresses | STRING | Yes | The parsed rfc822Name entries in the GeneralName. |
| parsed.extensions.issuer_alt_name.ip_addresses | STRING | Yes | The parsed ipAddress entries in the GeneralName. |
| parsed.extensions.issuer_alt_name.other_names | SubRecord | Yes | The parsed otherName entries in the GeneralName. An arbitrary binary value identified by an OID. |
| parsed.extensions.issuer_alt_name.other_names.id | STRING | No | The OID identifying the syntax of the otherName value. |
| parsed.extensions.issuer_alt_name.other_names.value | BYTES | No | The raw otherName value. |
| parsed.extensions.issuer_alt_name.registered_ids | STRING | Yes | The parsed registeredID entries in the GeneralName. Stored in dotted-decimal format. |
| parsed.extensions.issuer_alt_name.uniform_resource_identifiers | STRING | Yes | The parsed uniformResourceIdentifier entries in the GeneralName. |
| parsed.extensions.key_usage | SubRecord | No | The parsed id-ce-keyUsage extension (OID: 2.5.29.15). |
| parsed.extensions.key_usage.certificate_sign | BOOLEAN | No | Whether the keyCertSign bit is set. |
| parsed.extensions.key_usage.content_commitment | BOOLEAN | No | Whether the contentCommitment (formerly called nonRepudiation) bit is set. |
| parsed.extensions.key_usage.crl_sign | BOOLEAN | No | Whether the cRLSign bit is set. |
| parsed.extensions.key_usage.data_encipherment | BOOLEAN | No | Whether the dataEncipherment bit is set. |
| parsed.extensions.key_usage.decipher_only | BOOLEAN | No | Whether the decipherOnly bit is set. |
| parsed.extensions.key_usage.digital_signature | BOOLEAN | No | Whether the digitalSignature bit is set. |
| parsed.extensions.key_usage.encipher_only | BOOLEAN | No | Whether the encipherOnly bit is set. |
| parsed.extensions.key_usage.key_agreement | BOOLEAN | No | Whether the keyAgreement bit is set. |
| parsed.extensions.key_usage.key_encipherment | BOOLEAN | No | Whether the keyEncipherment bit is set. |
| parsed.extensions.key_usage.value | INTEGER | No | The integer value of the bitmask in the extension. |
| parsed.extensions.name_constraints | SubRecord | No | The parsed id-ce-nameConstraints extension (OID: 2.5.29.30). Specifies a name space within which all child certificates' subject names MUST be located. |
| parsed.extensions.name_constraints.critical | BOOLEAN | No | |
| parsed.extensions.name_constraints.excluded_directory_names | SubRecord | Yes | A record providing excluded names of the type directoryName in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.excluded_directory_names.common_name | STRING | Yes | The commonName (CN) elements of the Distinguished Name (OID: 2.5.4.3). |
| parsed.extensions.name_constraints.excluded_directory_names.country | STRING | Yes | The countryName (C) elements of the Distinguished Name (OID: 2.5.4.6). |
| parsed.extensions.name_constraints.excluded_directory_names.domain_component | STRING | Yes | The domainComponent (DC) elements of the Distinguished Name (OID: 0.9.2342.19200300.100.1.25). |
| parsed.extensions.name_constraints.excluded_directory_names.email_address | STRING | Yes | The emailAddress (E) elements of the Distinguished Name (OID: 1.2.840.113549.1.9.1). |
| parsed.extensions.name_constraints.excluded_directory_names.given_name | STRING | Yes | The givenName (G) elements of the Distinguished Name (OID: 2.5.4.42). |
| parsed.extensions.name_constraints.excluded_directory_names.jurisdiction_country | STRING | Yes | The jurisdictionCountry elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.3). |
| parsed.extensions.name_constraints.excluded_directory_names.jurisdiction_locality | STRING | Yes | The jurisdictionLocality elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.1). |
| parsed.extensions.name_constraints.excluded_directory_names.jurisdiction_province | STRING | Yes | The jurisdictionStateOrProvince elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.2). |
| parsed.extensions.name_constraints.excluded_directory_names.locality | STRING | Yes | The localityName (L) elements of the Distinguished Name (OID: 2.5.4.7). |
| parsed.extensions.name_constraints.excluded_directory_names.organization | STRING | Yes | The organizationName (O) elements of the Distinguished Name (OID: 2.5.4.10). |
| parsed.extensions.name_constraints.excluded_directory_names.organization_id | STRING | Yes | |
| parsed.extensions.name_constraints.excluded_directory_names.organizational_unit | STRING | Yes | The organizationalUnit (OU) elements of the Distinguished Name (OID: 2.5.4.11). |
| parsed.extensions.name_constraints.excluded_directory_names.postal_code | STRING | Yes | The postalCode elements of the Distinguished Name (OID: 2.5.4.17). |
| parsed.extensions.name_constraints.excluded_directory_names.province | STRING | Yes | The stateOrProvinceName (ST) elements of the Distinguished Name (OID: 2.5.4.8). |
| parsed.extensions.name_constraints.excluded_directory_names.serial_number | STRING | Yes | The serialNumber elements of the Distinguished Name (OID: 2.5.4.5). |
| parsed.extensions.name_constraints.excluded_directory_names.street_address | STRING | Yes | The streetAddress (STREET) elements of the Distinguished Name (OID: 2.5.4.9). |
| parsed.extensions.name_constraints.excluded_directory_names.surname | STRING | Yes | The surname (SN) elements of the Distinguished Name (OID: 2.5.4.4). |
| parsed.extensions.name_constraints.excluded_edi_party_names | SubRecord | Yes | A record providing excluded names of the type ediPartyName in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.excluded_edi_party_names.name_assigner | STRING | No | |
| parsed.extensions.name_constraints.excluded_edi_party_names.party_name | STRING | No | |
| parsed.extensions.name_constraints.excluded_email_addresses | STRING | Yes | A record providing a range of excluded names of the type rfc822Name in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.excluded_ip_addresses | SubRecord | Yes | A record providing a range of excluded names of the type iPAddress in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.excluded_ip_addresses.begin | STRING | No | The first IP address in the range. |
| parsed.extensions.name_constraints.excluded_ip_addresses.cidr | STRING | No | The CIDR specifying the subtree. |
| parsed.extensions.name_constraints.excluded_ip_addresses.end | STRING | No | The last IP address in the range. |
| parsed.extensions.name_constraints.excluded_ip_addresses.mask | STRING | No | The subnet mask of the CIDR. |
| parsed.extensions.name_constraints.excluded_names | STRING | Yes | A record providing a range of excluded names of the type dNSName in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.excluded_registered_ids | STRING | Yes | A record providing excluded names of the type registeredID in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.excluded_uris | STRING | Yes | A record providing a range of excluded uniform resource identifiers in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_directory_names | SubRecord | Yes | A record providing permitted names of the type directoryName in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_directory_names.common_name | STRING | Yes | The commonName (CN) elements of the Distinguished Name (OID: 2.5.4.3). |
| parsed.extensions.name_constraints.permitted_directory_names.country | STRING | Yes | The countryName (C) elements of the Distinguished Name (OID: 2.5.4.6). |
| parsed.extensions.name_constraints.permitted_directory_names.domain_component | STRING | Yes | The domainComponent (DC) elements of the Distinguished Name (OID: 0.9.2342.19200300.100.1.25). |
| parsed.extensions.name_constraints.permitted_directory_names.email_address | STRING | Yes | The emailAddress (E) elements of the Distinguished Name (OID: 1.2.840.113549.1.9.1). |
| parsed.extensions.name_constraints.permitted_directory_names.given_name | STRING | Yes | The givenName (G) elements of the Distinguished Name (OID: 2.5.4.42). |
| parsed.extensions.name_constraints.permitted_directory_names.jurisdiction_country | STRING | Yes | The jurisdictionCountry elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.3). |
| parsed.extensions.name_constraints.permitted_directory_names.jurisdiction_locality | STRING | Yes | The jurisdictionLocality elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.1). |
| parsed.extensions.name_constraints.permitted_directory_names.jurisdiction_province | STRING | Yes | The jurisdictionStateOrProvince elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.2). |
| parsed.extensions.name_constraints.permitted_directory_names.locality | STRING | Yes | The localityName (L) elements of the Distinguished Name (OID: 2.5.4.7). |
| parsed.extensions.name_constraints.permitted_directory_names.organization | STRING | Yes | The organizationName (O) elements of the Distinguished Name (OID: 2.5.4.10). |
| parsed.extensions.name_constraints.permitted_directory_names.organization_id | STRING | Yes | |
| parsed.extensions.name_constraints.permitted_directory_names.organizational_unit | STRING | Yes | The organizationalUnit (OU) elements of the Distinguished Name (OID: 2.5.4.11). |
| parsed.extensions.name_constraints.permitted_directory_names.postal_code | STRING | Yes | The postalCode elements of the Distinguished Name (OID: 2.5.4.17). |
| parsed.extensions.name_constraints.permitted_directory_names.province | STRING | Yes | The stateOrProvinceName (ST) elements of the Distinguished Name (OID: 2.5.4.8). |
| parsed.extensions.name_constraints.permitted_directory_names.serial_number | STRING | Yes | The serialNumber elements of the Distinguished Name (OID: 2.5.4.5). |
| parsed.extensions.name_constraints.permitted_directory_names.street_address | STRING | Yes | The streetAddress (STREET) elements of the Distinguished Name (OID: 2.5.4.9). |
| parsed.extensions.name_constraints.permitted_directory_names.surname | STRING | Yes | The surname (SN) elements of the Distinguished Name (OID: 2.5.4.4). |
| parsed.extensions.name_constraints.permitted_edi_party_names | SubRecord | Yes | A record providing permitted names of the type ediPartyName in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_edi_party_names.name_assigner | STRING | No | |
| parsed.extensions.name_constraints.permitted_edi_party_names.party_name | STRING | No | |
| parsed.extensions.name_constraints.permitted_email_addresses | STRING | Yes | A record providing a range of permitted names of the type rfc822Name in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_ip_addresses | SubRecord | Yes | A record providing a range of permitted names of the type iPAddress in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_ip_addresses.begin | STRING | No | The first IP address in the range. |
| parsed.extensions.name_constraints.permitted_ip_addresses.cidr | STRING | No | The CIDR specifying the subtree. |
| parsed.extensions.name_constraints.permitted_ip_addresses.end | STRING | No | The last IP address in the range. |
| parsed.extensions.name_constraints.permitted_ip_addresses.mask | STRING | No | The subnet mask of the CIDR. |
| parsed.extensions.name_constraints.permitted_names | STRING | Yes | A record providing a range of permitted names of the type dNSName in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_registered_ids | STRING | Yes | A record providing permitted names of the type registeredID in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.name_constraints.permitted_uris | STRING | Yes | A record providing a range of permitted uniform resource identifiers in leaf certificates whose trust path includes this certificate. |
| parsed.extensions.qc_statements | SubRecord | No | |
| parsed.extensions.qc_statements.ids | STRING | Yes | |
| parsed.extensions.qc_statements.parsed | SubRecord | No | |
| parsed.extensions.qc_statements.parsed.etsi_compliance | BOOLEAN | Yes | |
| parsed.extensions.qc_statements.parsed.legislation | SubRecord | Yes | |
| parsed.extensions.qc_statements.parsed.legislation.country_codes | STRING | Yes | |
| parsed.extensions.qc_statements.parsed.limit | SubRecord | Yes | |
| parsed.extensions.qc_statements.parsed.limit.amount | INTEGER | No | |
| parsed.extensions.qc_statements.parsed.limit.currency | STRING | No | |
| parsed.extensions.qc_statements.parsed.limit.currency_number | INTEGER | No | |
| parsed.extensions.qc_statements.parsed.limit.exponent | INTEGER | No | |
| parsed.extensions.qc_statements.parsed.pds_locations | SubRecord | Yes | |
| parsed.extensions.qc_statements.parsed.pds_locations.language | STRING | No | |
| parsed.extensions.qc_statements.parsed.pds_locations.url | STRING | No | |
| parsed.extensions.qc_statements.parsed.retention_period | INTEGER | Yes | |
| parsed.extensions.qc_statements.parsed.sscd | BOOLEAN | Yes | |
| parsed.extensions.qc_statements.parsed.types | SubRecord | Yes | |
| parsed.extensions.qc_statements.parsed.types.ids | STRING | Yes | |
| parsed.extensions.signed_certificate_timestamps | SubRecord | Yes | |
| parsed.extensions.signed_certificate_timestamps.log_id | BYTES | No | |
| parsed.extensions.signed_certificate_timestamps.signature | SubRecord | No | |
| parsed.extensions.signed_certificate_timestamps.signature.hash_algorithm | STRING | No | |
| parsed.extensions.signed_certificate_timestamps.signature.signature | BYTES | No | |
| parsed.extensions.signed_certificate_timestamps.signature.signature_algorithm | STRING | No | |
| parsed.extensions.signed_certificate_timestamps.timestamp | TIMESTAMP | No | |
| parsed.extensions.signed_certificate_timestamps.version | INTEGER | No | |
| parsed.extensions.subject_alt_name | SubRecord | No | The parsed id-ce-subjectAltName extension (OID: 2.5.29.17). |
| parsed.extensions.subject_alt_name.directory_names | SubRecord | Yes | The parsed directoryName entries in the GeneralName. |
| parsed.extensions.subject_alt_name.directory_names.common_name | STRING | Yes | The commonName (CN) elements of the Distinguished Name (OID: 2.5.4.3). |
| parsed.extensions.subject_alt_name.directory_names.country | STRING | Yes | The countryName (C) elements of the Distinguished Name (OID: 2.5.4.6). |
| parsed.extensions.subject_alt_name.directory_names.domain_component | STRING | Yes | The domainComponent (DC) elements of the Distinguished Name (OID: 0.9.2342.19200300.100.1.25). |
| parsed.extensions.subject_alt_name.directory_names.email_address | STRING | Yes | The emailAddress (E) elements of the Distinguished Name (OID: 1.2.840.113549.1.9.1). |
| parsed.extensions.subject_alt_name.directory_names.given_name | STRING | Yes | The givenName (G) elements of the Distinguished Name (OID: 2.5.4.42). |
| parsed.extensions.subject_alt_name.directory_names.jurisdiction_country | STRING | Yes | The jurisdictionCountry elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.3). |
| parsed.extensions.subject_alt_name.directory_names.jurisdiction_locality | STRING | Yes | The jurisdictionLocality elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.1). |
| parsed.extensions.subject_alt_name.directory_names.jurisdiction_province | STRING | Yes | The jurisdictionStateOrProvince elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.2). |
| parsed.extensions.subject_alt_name.directory_names.locality | STRING | Yes | The localityName (L) elements of the Distinguished Name (OID: 2.5.4.7). |
| parsed.extensions.subject_alt_name.directory_names.organization | STRING | Yes | The organizationName (O) elements of the Distinguished Name (OID: 2.5.4.10). |
| parsed.extensions.subject_alt_name.directory_names.organization_id | STRING | Yes | |
| parsed.extensions.subject_alt_name.directory_names.organizational_unit | STRING | Yes | The organizationalUnit (OU) elements of the Distinguished Name (OID: 2.5.4.11). |
| parsed.extensions.subject_alt_name.directory_names.postal_code | STRING | Yes | The postalCode elements of the Distinguished Name (OID: 2.5.4.17). |
| parsed.extensions.subject_alt_name.directory_names.province | STRING | Yes | The stateOrProvinceName (ST) elements of the Distinguished Name (OID: 2.5.4.8). |
| parsed.extensions.subject_alt_name.directory_names.serial_number | STRING | Yes | The serialNumber elements of the Distinguished Name (OID: 2.5.4.5). |
| parsed.extensions.subject_alt_name.directory_names.street_address | STRING | Yes | The streetAddress (STREET) elements of the Distinguished Name (OID: 2.5.4.9). |
| parsed.extensions.subject_alt_name.directory_names.surname | STRING | Yes | The surname (SN) elements of the Distinguished Name (OID: 2.5.4.4). |
| parsed.extensions.subject_alt_name.dns_names | STRING | Yes | The parsed dNSName entries in the GeneralName. |
| parsed.extensions.subject_alt_name.edi_party_names | SubRecord | Yes | The parsed eDIPartyName entries in the GeneralName. |
| parsed.extensions.subject_alt_name.edi_party_names.name_assigner | STRING | No | |
| parsed.extensions.subject_alt_name.edi_party_names.party_name | STRING | No | |
| parsed.extensions.subject_alt_name.email_addresses | STRING | Yes | The parsed rfc822Name entries in the GeneralName. |
| parsed.extensions.subject_alt_name.ip_addresses | STRING | Yes | The parsed ipAddress entries in the GeneralName. |
| parsed.extensions.subject_alt_name.other_names | SubRecord | Yes | The parsed otherName entries in the GeneralName. An arbitrary binary value identified by an OID. |
| parsed.extensions.subject_alt_name.other_names.id | STRING | No | The OID identifying the syntax of the otherName value. |
| parsed.extensions.subject_alt_name.other_names.value | BYTES | No | The raw otherName value. |
| parsed.extensions.subject_alt_name.registered_ids | STRING | Yes | The parsed registeredID entries in the GeneralName. Stored in dotted-decimal format. |
| parsed.extensions.subject_alt_name.uniform_resource_identifiers | STRING | Yes | The parsed uniformResourceIdentifier entries in the GeneralName. |
| parsed.extensions.subject_key_id | BYTES | No | A key identifier, usually a digest of the DER-encoded SubjectPublicKeyInfo.. |
| parsed.extensions.tor_service_descriptors | SubRecord | Yes | |
| parsed.extensions.tor_service_descriptors.algorithm_name | STRING | No | |
| parsed.extensions.tor_service_descriptors.hash | BYTES | No | |
| parsed.extensions.tor_service_descriptors.hash_bits | INTEGER | No | |
| parsed.extensions.tor_service_descriptors.onion | STRING | No | |
| parsed.issuer | SubRecord | No | A record containing the parsed contents of the issuer_dn. |
| parsed.issuer.common_name | STRING | Yes | The commonName (CN) elements of the Distinguished Name (OID: 2.5.4.3). |
| parsed.issuer.country | STRING | Yes | The countryName (C) elements of the Distinguished Name (OID: 2.5.4.6). |
| parsed.issuer.domain_component | STRING | Yes | The domainComponent (DC) elements of the Distinguished Name (OID: 0.9.2342.19200300.100.1.25). |
| parsed.issuer.email_address | STRING | Yes | The emailAddress (E) elements of the Distinguished Name (OID: 1.2.840.113549.1.9.1). |
| parsed.issuer.given_name | STRING | Yes | The givenName (G) elements of the Distinguished Name (OID: 2.5.4.42). |
| parsed.issuer.jurisdiction_country | STRING | Yes | The jurisdictionCountry elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.3). |
| parsed.issuer.jurisdiction_locality | STRING | Yes | The jurisdictionLocality elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.1). |
| parsed.issuer.jurisdiction_province | STRING | Yes | The jurisdictionStateOrProvince elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.2). |
| parsed.issuer.locality | STRING | Yes | The localityName (L) elements of the Distinguished Name (OID: 2.5.4.7). |
| parsed.issuer.organization | STRING | Yes | The organizationName (O) elements of the Distinguished Name (OID: 2.5.4.10). |
| parsed.issuer.organization_id | STRING | Yes | |
| parsed.issuer.organizational_unit | STRING | Yes | The organizationalUnit (OU) elements of the Distinguished Name (OID: 2.5.4.11). |
| parsed.issuer.postal_code | STRING | Yes | The postalCode elements of the Distinguished Name (OID: 2.5.4.17). |
| parsed.issuer.province | STRING | Yes | The stateOrProvinceName (ST) elements of the Distinguished Name (OID: 2.5.4.8). |
| parsed.issuer.serial_number | STRING | Yes | The serialNumber elements of the Distinguished Name (OID: 2.5.4.5). |
| parsed.issuer.street_address | STRING | Yes | The streetAddress (STREET) elements of the Distinguished Name (OID: 2.5.4.9). |
| parsed.issuer.surname | STRING | Yes | The surname (SN) elements of the Distinguished Name (OID: 2.5.4.4). |
| parsed.issuer_dn | STRING | No | Distinguished Name of the entity that has signed and issued the certificate. |
| parsed.redacted | BOOLEAN | No | |
| parsed.serial_number | STRING | No | Issuer-specific identifier of the certificate. |
| parsed.serial_number_hex | STRING | No | Issuer-specific identifier of the certificate, represented as hexadecimal. |
| parsed.signature | SubRecord | No | |
| parsed.signature.self_signed | BOOLEAN | No | Whether the certificate was signed by its own key. |
| parsed.signature.signature_algorithm | SubRecord | No | |
| parsed.signature.signature_algorithm.name | STRING | No | Name of public key type, such as RSA or ECDSA. Information specific to the key type is available in the named sub-record. |
| parsed.signature.signature_algorithm.oid | STRING | No | |
| parsed.signature.valid | BOOLEAN | No | Whether the signature is valid. |
| parsed.signature.value | BYTES | No | Contents of the signature. |
| parsed.subject | SubRecord | No | A record containing the parsed contents of the subject_dn. |
| parsed.subject.common_name | STRING | Yes | The commonName (CN) elements of the Distinguished Name (OID: 2.5.4.3). |
| parsed.subject.country | STRING | Yes | The countryName (C) elements of the Distinguished Name (OID: 2.5.4.6). |
| parsed.subject.domain_component | STRING | Yes | The domainComponent (DC) elements of the Distinguished Name (OID: 0.9.2342.19200300.100.1.25). |
| parsed.subject.email_address | STRING | Yes | The emailAddress (E) elements of the Distinguished Name (OID: 1.2.840.113549.1.9.1). |
| parsed.subject.given_name | STRING | Yes | The givenName (G) elements of the Distinguished Name (OID: 2.5.4.42). |
| parsed.subject.jurisdiction_country | STRING | Yes | The jurisdictionCountry elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.3). |
| parsed.subject.jurisdiction_locality | STRING | Yes | The jurisdictionLocality elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.1). |
| parsed.subject.jurisdiction_province | STRING | Yes | The jurisdictionStateOrProvince elements of the Distinguished Name (OID: 1.3.6.1.4.1.311.60.2.1.2). |
| parsed.subject.locality | STRING | Yes | The localityName (L) elements of the Distinguished Name (OID: 2.5.4.7). |
| parsed.subject.organization | STRING | Yes | The organizationName (O) elements of the Distinguished Name (OID: 2.5.4.10). |
| parsed.subject.organization_id | STRING | Yes | |
| parsed.subject.organizational_unit | STRING | Yes | The organizationalUnit (OU) elements of the Distinguished Name (OID: 2.5.4.11). |
| parsed.subject.postal_code | STRING | Yes | The postalCode elements of the Distinguished Name (OID: 2.5.4.17). |
| parsed.subject.province | STRING | Yes | The stateOrProvinceName (ST) elements of the Distinguished Name (OID: 2.5.4.8). |
| parsed.subject.serial_number | STRING | Yes | The serialNumber elements of the Distinguished Name (OID: 2.5.4.5). |
| parsed.subject.street_address | STRING | Yes | The streetAddress (STREET) elements of the Distinguished Name (OID: 2.5.4.9). |
| parsed.subject.surname | STRING | Yes | The surname (SN) elements of the Distinguished Name (OID: 2.5.4.4). |
| parsed.subject_dn | STRING | No | Distinguished Name of the entity associated with the public key. |
| parsed.subject_key_info | SubRecord | No | Information about the certificate's public key. |
| parsed.subject_key_info.dsa | SubRecord | No | A record containing the public portion of a DSA asymmetric key. |
| parsed.subject_key_info.dsa.g | BYTES | No | |
| parsed.subject_key_info.dsa.p | BYTES | No | |
| parsed.subject_key_info.dsa.q | BYTES | No | |
| parsed.subject_key_info.dsa.y | BYTES | No | |
| parsed.subject_key_info.ecdsa | SubRecord | No | A record containing the public portion of an ECDSA asymmetric key. |
| parsed.subject_key_info.ecdsa.b | BYTES | No | |
| parsed.subject_key_info.ecdsa.curve | STRING | No | |
| parsed.subject_key_info.ecdsa.gx | BYTES | No | |
| parsed.subject_key_info.ecdsa.gy | BYTES | No | |
| parsed.subject_key_info.ecdsa.length | INTEGER | No | |
| parsed.subject_key_info.ecdsa.n | BYTES | No | |
| parsed.subject_key_info.ecdsa.p | BYTES | No | |
| parsed.subject_key_info.ecdsa.pub | BYTES | No | |
| parsed.subject_key_info.ecdsa.x | BYTES | No | |
| parsed.subject_key_info.ecdsa.y | BYTES | No | |
| parsed.subject_key_info.fingerprint_sha256 | BYTES | No | The SHA-256 digest of the certificate's DER-encoded SubjectPublicKeyInfo. |
| parsed.subject_key_info.key_algorithm | SubRecord | No | A record containing information about the type of subject key algorithm and any relevant parameters. |
| parsed.subject_key_info.key_algorithm.name | STRING | No | Name of public key type, such as RSA or ECDSA. Information specific to the key type is available in the named sub-record. |
| parsed.subject_key_info.key_algorithm.oid | STRING | No | |
| parsed.subject_key_info.rsa | SubRecord | No | A record containing the public portion of an RSA asymmetric key. |
| parsed.subject_key_info.rsa.exponent | INTEGER | No | The RSA key's public exponent (e). |
| parsed.subject_key_info.rsa.length | INTEGER | No | Bit-length of the RSA modulus. |
| parsed.subject_key_info.rsa.modulus | BYTES | No | The RSA key's modulus (n) in big-endian encoding. |
| parsed.subject_key_info.unrecognized | SubRecord | No | A record containing known information about an unrecognized key type. |
| parsed.subject_key_info.unrecognized.raw | BYTES | No | |
| parsed.unknown_extensions | SubRecord | Yes | |
| parsed.unknown_extensions.critical | BOOLEAN | No | |
| parsed.unknown_extensions.id | STRING | No | |
| parsed.unknown_extensions.value | BYTES | No | |
| parsed.validity_period | SubRecord | No | Information about the time for which the certificate is valid. |
| parsed.validity_period.length_seconds | INTEGER | No | The duration of the certificate's validity period, in seconds. |
| parsed.validity_period.not_after | TIMESTAMP | No | An RFC-3339-formatted timestamp after which the certificate is no longer valid. |
| parsed.validity_period.not_before | TIMESTAMP | No | An RFC-3339-formatted timestamp before which the certificate is not valid. |
| parsed.version | INTEGER | No | |
| precert | BOOLEAN | No | Whether the X.509 "poison" extension (OID: 1.3.6.1.4.1.11129.2.4.3) is marked critical, which prohibits the pre-certificate from being trusted. |
| raw | BYTES | No | |
| revocation | SubRecord | No | A record containing revocation information, if the certificate has been revoked. |
| revocation.crl | SubRecord | No | |
| revocation.crl.next_update | TIMESTAMP | No | |
| revocation.crl.reason | STRING | No | An enumerated value indicating the issuer-supplied reason for the revocation. |
| revocation.crl.revocation_time | TIMESTAMP | No | The issuer-supplied timestamp indicating when the certificate was revoked. |
| revocation.crl.revoked | BOOLEAN | No | Whether the certificate has been revoked before its expiry date by the issuer. |
| revocation.ocsp | SubRecord | No | |
| revocation.ocsp.next_update | TIMESTAMP | No | |
| revocation.ocsp.reason | STRING | No | An enumerated value indicating the issuer-supplied reason for the revocation. |
| revocation.ocsp.revocation_time | TIMESTAMP | No | The issuer-supplied timestamp indicating when the certificate was revoked. |
| revocation.ocsp.revoked | BOOLEAN | No | Whether the certificate has been revoked before its expiry date by the issuer. |
| revoked | BOOLEAN | No | Whether the certificate has been revoked before its expiry date by the issuer. |
| spki_subject_fingerprint_sha256 | BYTES | No | The SHA-256 digest of the certificate's DER-encoded SubjectPublicKeyInfo concatenated with its Subject. |
| tbs_fingerprint_sha256 | BYTES | No | The SHA-256 digest of the unsigned certificate's contents. |
| tbs_no_ct_fingerprint_sha256 | BYTES | No | The SHA-256 digest of the unsigned certificate with the CT Poison extension removed, if present. This represents the shared contents of a certificate and its corresponding pre-certificate. |
| validated_at | TIMESTAMP | No | When the certificate record's trust was last checked. |
| validation | SubRecord | No | A record containing information from the maintainers of major root certificate stores related to their trust assessment. |
| validation.apple | SubRecord | No | A record containing validation information about the certificate from the Apple root store. |
| validation.apple.chains | SubRecord | Yes | A path of trusted signing certificates up to a root certificate present in a root store, represented as an ordered list of SHA-256 fingerprints. |
| validation.apple.chains.sha256fp | BYTES | Yes | |
| validation.apple.ever_valid | BOOLEAN | No | Whether the certificate has ever been considered valid by the root store. |
| validation.apple.had_trusted_path | BOOLEAN | No | Whether there ever existed a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.apple.has_trusted_path | BOOLEAN | No | Whether there currently exists a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.apple.in_revocation_set | BOOLEAN | No | Whether the certificate is in the revocation set (e.g. OneCRL) associated with the root store. |
| validation.apple.is_valid | BOOLEAN | No | Whether the certificate is currently considered valid by the root store: a summary of the trust path, revoked, blocklisted/allowlisted, and expired fields. |
| validation.apple.parents | BYTES | Yes | The SHA-256 fingerprints of the certificate's immediate parents in its trust path(s). |
| validation.apple.type | STRING | No | The certificate's type. Options include root, intermediate, or leaf. |
| validation.chrome | SubRecord | No | A record containing validation information about the certificate from the Chrome root store. |
| validation.chrome.chains | SubRecord | Yes | A path of trusted signing certificates up to a root certificate present in a root store, represented as an ordered list of SHA-256 fingerprints. |
| validation.chrome.chains.sha256fp | BYTES | Yes | |
| validation.chrome.ever_valid | BOOLEAN | No | Whether the certificate has ever been considered valid by the root store. |
| validation.chrome.had_trusted_path | BOOLEAN | No | Whether there ever existed a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.chrome.has_trusted_path | BOOLEAN | No | Whether there currently exists a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.chrome.in_revocation_set | BOOLEAN | No | Whether the certificate is in the revocation set (e.g. OneCRL) associated with the root store. |
| validation.chrome.is_valid | BOOLEAN | No | Whether the certificate is currently considered valid by the root store: a summary of the trust path, revoked, blocklisted/allowlisted, and expired fields. |
| validation.chrome.parents | BYTES | Yes | The SHA-256 fingerprints of the certificate's immediate parents in its trust path(s). |
| validation.chrome.type | STRING | No | The certificate's type. Options include root, intermediate, or leaf. |
| validation.microsoft | SubRecord | No | A record containing validation information about the certificate from the Microsoft root store. |
| validation.microsoft.chains | SubRecord | Yes | A path of trusted signing certificates up to a root certificate present in a root store, represented as an ordered list of SHA-256 fingerprints. |
| validation.microsoft.chains.sha256fp | BYTES | Yes | |
| validation.microsoft.ever_valid | BOOLEAN | No | Whether the certificate has ever been considered valid by the root store. |
| validation.microsoft.had_trusted_path | BOOLEAN | No | Whether there ever existed a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.microsoft.has_trusted_path | BOOLEAN | No | Whether there currently exists a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.microsoft.in_revocation_set | BOOLEAN | No | Whether the certificate is in the revocation set (e.g. OneCRL) associated with the root store. |
| validation.microsoft.is_valid | BOOLEAN | No | Whether the certificate is currently considered valid by the root store: a summary of the trust path, revoked, blocklisted/allowlisted, and expired fields. |
| validation.microsoft.parents | BYTES | Yes | The SHA-256 fingerprints of the certificate's immediate parents in its trust path(s). |
| validation.microsoft.type | STRING | No | The certificate's type. Options include root, intermediate, or leaf. |
| validation.nss | SubRecord | No | A record containing validation information about the certificate from the Mozilla NSS root store. |
| validation.nss.chains | SubRecord | Yes | A path of trusted signing certificates up to a root certificate present in a root store, represented as an ordered list of SHA-256 fingerprints. |
| validation.nss.chains.sha256fp | BYTES | Yes | |
| validation.nss.ever_valid | BOOLEAN | No | Whether the certificate has ever been considered valid by the root store. |
| validation.nss.had_trusted_path | BOOLEAN | No | Whether there ever existed a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.nss.has_trusted_path | BOOLEAN | No | Whether there currently exists a trusted path of signing certificates from a certificate present in the root certificate store. |
| validation.nss.in_revocation_set | BOOLEAN | No | Whether the certificate is in the revocation set (e.g. OneCRL) associated with the root store. |
| validation.nss.is_valid | BOOLEAN | No | Whether the certificate is currently considered valid by the root store: a summary of the trust path, revoked, blocklisted/allowlisted, and expired fields. |
| validation.nss.parents | BYTES | Yes | The SHA-256 fingerprints of the certificate's immediate parents in its trust path(s). |
| validation.nss.type | STRING | No | The certificate's type. Options include root, intermediate, or leaf. |
| validation_level | STRING | No | The extent to which the certificate's issuer validated the identity of the entity requesting the certificate. Options include Domain validated (DV), Organization Validated (OV), or Extended Validation (EV). |
| zlint | SubRecord | No | |
| zlint.errors_present | BOOLEAN | No | Whether the certificate's attributes triggered any error lints for non-conformance to the X.509 standard. |
| zlint.failed_lints | STRING | Yes | A list of lint names which failed, if applicable. |
| zlint.fatals_present | BOOLEAN | No | Whether the certificate's attributes triggered any fatal lints for non-conformance to the X.509 standard. |
| zlint.notices_present | BOOLEAN | No | Whether the certificate's attributes triggered any notice lints for non-conformance to the X.509 standard. |
| zlint.timestamp | TIMESTAMP | No | An RFC-3339-formated timestamp indicating when the certificate was linted. |
| zlint.version | INTEGER | No | The version of Zlint used to lint the certificate. |
| zlint.warnings_present | BOOLEAN | No | Whether the certificate's attributes triggered any warning lints for non-conformance to the X.509 standard. |