ssl_info

join type=outer ip,port [search sourcetype=qualysguard qid=86002 | rex field=results "commonName (?<cert_cn>.*)\n" | rex field=results "emailAddress (?<cert_email>.*)\n" | rex field=results "Valid Till (?<cert_expires>.*)\n" | rex field=results "localityName (?<cert_locality>.*)\n" | rex field=results "Valid From (?<cert_from>.*)\n" | fields ip,port,cert_*]

This only works if doing your periodic vuln scans with Qualys, as they provide this information. The search for the QID 86002 makes the macro faster as it only looks at valid findings that have ssl information available.