In BRO 2.5.X there are about 3 or 4 log files that have SSL Certificate information: x509.log, ssl.log, conn.log and dns.log. In simplest process I think I need to either build a series of searches or use multisearch or join in SPL. Infact I would like for it all to be SPL. So not all fields are in all logs so I have to connect field A in log A with field A in log B create a new field B from log A&B and use that in log C to get fields D&E, then create dashboard or I can start off with a table. (Each log is a separate source type)
Some of the fields in BRO that are applicable is uid, fuid, CN, id_resp_h, txhost, rxhost.
Gather all certificate activity using the CN field and a dedup to get a list of certificates. (ssl.log)
Take that list of CN and use that in x509.log to get all the certificate information (serial, expiry date, issuer, etc)
Take CN field and certificate information and use it in the dns.log
Convert some fields in to human readable format and create table with fields.