Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Hi <#C08V7KTJB|> I am looking to build a query that can verify the chain of a certificate installed on the machine to verify it's a corporate asset.  These are the two queries I've built, but I am not too sure it will achieve its purpose, which is to inspect the entire chain of certificates. Any assistance is appreciated.
*`SELECT common_name, issuer, strftime('%d/m/%Y', datetime(not_valid_after, 'unixepoc')) as expiration_date FROM certificates WHERE path = "CurrentUser\Trusted Root Certification Authorities" ORDER BY common_name;`*

*`SELECT common_name FROM certificates WHERE common_name IN ('SGIO Test Root CA - G2' OR common_name = 'SGIO Root CA G2' OR common_name = 'SGIO Basic Assurance CA2' OR common_name = 'SGIO Basic Assurance CA2 G2' OR common_name = 'SGIO Basic Assurance CA G2');`*

Heads up that this does not verify anything, it would only ever let you know if a certificate with those properties exists on the machine.

I want to be sensitive that there are no security guarantees from reporting certificates from a certificate store.