Skip to main content

CertificateExtract

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Extract fields from a certificate file and return the standard context

Script Data#


NameDescription
Script Typepython3
Tags
Cortex XSOAR Version6.0.0

Inputs#


Argument NameDescription
pemCertificate in PEM format
entry_idCertificate entry ID (in DER or PEM format)

Outputs#


PathDescriptionType
Certificate.NameName (CN or SAN) appearing in the certificate.String
Certificate.SubjectDNThe Subject Distinguished Name of the certificate.
This field includes the Common Name of the certificate.
String
Certificate.PEMCertificate in PEM format.String
Certificate.IssuerDNThe Issuer Distinguished Name of the certificate.String
Certificate.SerialNumberThe Serial Number of the certificate.String
Certificate.ValidityNotAfterEnd of certificate validity period.Date
Certificate.ValidityNotBeforeStart of certificate validity period.Date
Certificate.SubjectAlternativeName.TypeType of the SAN.String
Certificate.SubjectAlternativeName.ValueName of the SAN.String
Certificate.SHA512SHA512 Fingerprint of the certificate in DER format.String
Certificate.SHA256SHA256 Fingerprint of the certificate in DER format.String
Certificate.SHA1SHA1 Fingerprint of the certificate in DER format.String
Certificate.MD5MD5 Fingerprint of the certificate in DER format.String
Certificate.PublicKey.AlgorithmAlgorithm used for public key of the certificate.String
Certificate.PublicKey.LengthLength in bits of the public key of the certificate.Number
Certificate.PublicKey.ModulusModulus of the public key for RSA keys.String
Certificate.PublicKey.ExponentExponent of the public key for RSA keys.Number
Certificate.PublicKey.PublicKeyThe public key for DSA/Unknown keys.String
Certificate.PublicKey.PThe P parameter for DSA keys.String
Certificate.PublicKey.QThe Q parameter for DSA keys.String
Certificate.PublicKey.GThe G parameter for DSA keys.String
Certificate.PublicKey.XThe X parameter for EC keys.String
Certificate.PublicKey.YThe Y parameter for EC keys.String
Certificate.PublicKey.CurveCurve of the Public Key for EC keys.String
Certificate.SPKISHA256SHA256 fingerprint of the certificate Subject Public Key Info.String
Certificate.Signature.AlgorithmAlgorithm used in the signature of the certificate.String
Certificate.Signature.SignatureSignature of the certificate.String
Certificate.Extension.CriticalCritical flag of the certificate extension.Bool
Certificate.Extension.OIDOID of the certificate extension.String
Certificate.Extension.NameName of the certificate extension.String
Certificate.Extension.ValueValue of the certificate extension.Unknown
Certificate.Malicious.VendorThe vendor that reported the file as malicious.String
Certificate.Malicious.DescriptionA description explaining why the file was determined to be malicious.String
DBotScore.IndicatorThe indicator that was tested.String
DBotScore.TypeThe indicator type.String
DBotScore.VendorThe vendor used to calculate the score.String
DBotScore.ScoreThe actual score.Number

Script Example#

!CertificateExtract entry_id="978@5b925e3c-6ab8-4209-86bf-10f4ed6a9dc0"

Context Example#

{
"Certificate": {
"Extension": [
{
"Critical": true,
"Name": "basicConstraints",
"OID": "2.5.29.19",
"Value": {
"CA": false
}
},
{
"Critical": false,
"Name": "subjectKeyIdentifier",
"OID": "2.5.29.14",
"Value": {
"Digest": "3fe12ea63b9cf8414f0b001f2efa8ac5bd0fc73c"
}
},
{
"Critical": false,
"Name": "keyUsage",
"OID": "2.5.29.15",
"Value": {
"DataEncipherment": true,
"DigitalSignature": true,
"KeyAgreement": true,
"KeyEncipherment": true
}
},
{
"Critical": false,
"Name": "extendedKeyUsage",
"OID": "2.5.29.37",
"Value": {
"Usages": [
"clientAuth"
]
}
},
{
"Critical": false,
"Name": "subjectAltName",
"OID": "2.5.29.17",
"Value": [
{
"Type": "dNSName",
"Value": "*.example.com"
}
]
}
],
"IssuerDN": "CN=TestCA,OU=CA,O=Example.com,L=Casacca,ST=PR,C=IT",
"MD5": "ac2fead0b8ac25a3633194b38ad91ca9",
"Name": [
"*.example.com",
"IAmADVCertificate"
],
"PEM": "-----BEGIN CERTIFICATE-----\nMIIDzjCCAbagAwIBAgIIXAVHw/CcpwowDQYJKoZIhvcNAQELBQAwYDELMAkGA1UE\nBhMCSVQxCzAJBgNVBAgTAlBSMRAwDgYDVQQHEwdDYXNhY2NhMRQwEgYDVQQKEwtF\neGFtcGxlLmNvbTELMAkGA1UECxMCQ0ExDzANBgNVBAMTBlRlc3RDQTAeFw0yNjEy\nMDIxNDQxMDBaFw0yMTEyMDIxNDQxMDBaMBwxGjAYBgNVBAMTEUlBbUFEVkNlcnRp\nZmljYXRlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEfWq17YxZZuf/jPU/to3HRumn\nv8/LgZQSwkKUNdXs6niQYplCHTGQW1g062EtrhDhrWXYDIR1wxxt139y+z3hs9KP\ngThaIkJNjFx8dVklvIWx16c6t4cujZSVr6/08TLOo34wfDAMBgNVHRMBAf8EAjAA\nMB0GA1UdDgQWBBQ/4S6mO5z4QU8LAB8u+orFvQ/HPDALBgNVHQ8EBAMCA7gwEwYD\nVR0lBAwwCgYIKwYBBQUHAwIwGAYDVR0RBBEwD4INKi5leGFtcGxlLmNvbTARBglg\nhkgBhvhCAQEEBAMCBaAwDQYJKoZIhvcNAQELBQADggIBAAEhwtW+srmNaTs1krrt\nxybcF23jDNzRv/2G91PHf0CxFq7BjHYYzF3CvvwaQfTXMKog6j5arenuKgLEPpO9\navXiAcPt7vy3bxqX8WP4xgjoaRcEglS0cwW7bc+wtQT2NzqCsiXqNeRSiHXanNLY\nBGOayOnulnWP9vuAHNhgTDgxvMphxNDYtY9MA1Qj+Bs0jIuRHdFWBTVXvPYaMr4/\nbtzhrJY7VeS47IXDyp9KZbczy+5LUSh7AdKjXOI/kG8MUlKvfw/Vy23rDIOwb/dM\n/PWnqkbTFZI6cBl5FxWh2i/MaYUvjaynS/6A1fZIsgnq9mcCO/Auzaw8pa4Zx55w\nnf5hHBtp/Ksc+0ayPgYmfYKNGYvu/DQW3gvMAigYYaLAIrykYbkDl7mmQgL9lBIT\nBpBN72+ho1oZWb7F8YrbPa4odu2PBxO8kuleQKMfW73rQVF9BWUoxk8oDdHFkeye\nA+saBni5EZyYyLDMJRB2R9h/6mC02JkCRceHf7STNxiTvHwew8eP7mTNfmyTJDND\nEsGgwQpK6w0ki3/kQ3pD8rFUtpnA3AqjB0BON6j+lSpyPx/2HvGSvSx3aT2B6apC\nnoZV/cVfp9txXt1CkRt3zLpdzbQWTrRUiL+L2EaLeHPd901NZG0voxVUP64TuouB\nSIzBSFl5/q4tqkY4D2Gv4gPX\n-----END CERTIFICATE-----\n",
"PublicKey": {
"Algorithm": "EC",
"Curve": "secp384r1",
"Length": 384,
"X": "7d:6a:b5:ed:8c:59:66:e7:ff:8c:f5:3f:b6:8d:c7:46:e9:a7:bf:cf:cb:81:94:12:c2:42:94:35:d5:ec:ea:78:90:62:99:42:1d:31:90:5b:58:34:eb:61:2d:ae:10:e1",
"Y": "ad:65:d8:0c:84:75:c3:1c:6d:d7:7f:72:fb:3d:e1:b3:d2:8f:81:38:5a:22:42:4d:8c:5c:7c:75:59:25:bc:85:b1:d7:a7:3a:b7:87:2e:8d:94:95:af:af:f4:f1:32:ce"
},
"SHA1": "18ac1daece43f5b769260adbabf763046ebda80e",
"SHA256": "869c151a7174f95a35b58c7aa900da5daed3723b63a31f08b89edd788653e402",
"SPKISHA256": "f2d670d5c0e7e3ba2fb928dc2533c0191a679170acd7dc9387130173492e4b18",
"SerialNumber": "6630784933253916426",
"Signature": {
"Algorithm": "sha256",
"Signature": "0121c2d5beb2b98d693b3592baedc726dc176de30cdcd1bffd86f753c77f40b116aec18c7618cc5dc2befc1a41f4d730aa20ea3e5aade9ee2a02c43e93bd6af5e201c3edeefcb76f1a97f163f8c608e86917048254b47305bb6dcfb0b504f6373a82b225ea35e4528875da9cd2d804639ac8e9ee96758ff6fb801cd8604c3831bcca61c4d0d8b58f4c035423f81b348c8b911dd156053557bcf61a32be3f6edce1ac963b55e4b8ec85c3ca9f4a65b733cbee4b51287b01d2a35ce23f906f0c5252af7f0fd5cb6deb0c83b06ff74cfcf5a7aa46d315923a7019791715a1da2fcc69852f8daca74bfe80d5f648b209eaf667023bf02ecdac3ca5ae19c79e709dfe611c1b69fcab1cfb46b23e06267d828d198beefc3416de0bcc02281861a2c022bca461b90397b9a64202fd94121306904def6fa1a35a1959bec5f18adb3dae2876ed8f0713bc92e95e40a31f5bbdeb41517d056528c64f280dd1c591ec9e03eb1a0678b9119c98c8b0cc25107647d87fea60b4d8990245c7877fb493371893bc7c1ec3c78fee64cd7e6c9324334312c1a0c10a4aeb0d248b7fe4437a43f2b154b699c0dc0aa307404e37a8fe952a723f1ff61ef192bd2c77693d81e9aa429e8655fdc55fa7db715edd42911b77ccba5dcdb4164eb45488bf8bd8468b7873ddf74d4d646d2fa315543fae13ba8b81488cc1485979feae2daa46380f61afe203d7"
},
"SubjectAlternativeName": [
{
"Type": "dNSName",
"Value": "*.example.com"
}
],
"SubjectDN": "CN=IAmADVCertificate",
"ValidityNotAfter": "2021-12-02T14:41:00.000Z",
"ValidityNotBefore": "2026-12-02T14:41:00.000Z"
},
"DBotScore": {
"Indicator": "869c151a7174f95a35b58c7aa900da5daed3723b63a31f08b89edd788653e402",
"Score": 0,
"Type": "certificate",
"Vendor": "X509Certificate"
}
}

Human Readable Output#

Certificate decoded