New fields in Certificates

There are mutliple new fields available in certificates, and you can use them in queries and reports. The renewed and partially_renewed fields allow you to make a custom report that lists all certificates that are about to expire. The result shows if they have been renewed in time or not:

index=certificates not_after<+3w last_seen>-1m | table cn,
 ip, grade, renewed, partially_renewed, issuer

The cn_without_sni field is handy to get more information on shared hosters:

index=certificates  cn != cn_without_sni | table cn,
 cn_without_sni, ip, issuer

The subject and issuersubject fields give the exact string that is in the certificate, complete with CN, O , OU and other values used. As an extra, these are also parsed out and made available seperately. Please note that older certificates (before April 2022) do not have these fields populated. You can use these fields to group by subject countries:

index=certificates by C

Or issuer countries:

index=certificates by issuer_C

Please see Certificate Index in the docs for more details.