Possible Fields Returned
dest,dest_port,ssl_end_time, ssl_engine, ssl_hash, ssl_is_valid, ssl_issuer, ssl_issuer_common_name, ssl_issuer_email, ssl_issuer_locality, ssl_issuer_organization, ssl_issuer_state, ssl_issuer_street, ssl_issuer_unit, ssl_name, ssl_policies, ssl_publickey, ssl_publickey_algorithm, ssl_self_issued, ssl_self_signed, ssl_serial, ssl_session_id, ssl_signature_algorithm, ssl_start_time, ssl_subject, ssl_subject_alt_name, ssl_subject_common_name, ssl_subject_email, ssl_subject_locality, ssl_subject_organization, ssl_subject_state, ssl_subject_street, ssl_subject_unit, ssl_validity_window, ssl_version

Examples
1: Connect to domain
| makeresults | eval dest="splunk.com" | lookup sslcert_lookup dest

2: Connect to domain using macro
| makeresults | eval dest="splunk.com" | `sslcert(dest)`

3: Connect to ip
| makeresults | eval dest="8.8.8.8" | lookup sslcert_lookup dest

4: Connect to host and port
| makeresults | eval dest="mysplunkserver", dest_port=8000 | lookup sslcert_lookup dest dest_port

5: Connect to host and port using macro
| makeresults | eval dest="mysplunkserver", dest_port=8000 | `sslcert(dest, dest_port)`

6: Connect to ip and get only CN
| makeresults | eval dest="8.8.8.8" | lookup sslcert_lookup dest OUTPUT ssl_subject_common_name

7: Connect to ip and get only CN and SAN
| makeresults | eval dest="8.8.8.8" | lookup sslcert_lookup dest OUTPUT ssl_subject_common_name ssl_subject_alt_name | eval ssl_subject_alt_name = split(ssl_subject_alt_name,"|")




https://splunkbase.splunk.com/app/4580/#/details