This request came in from atoll, who has described his use case like so (my paraphrasing):

• We would like to be able to identify certificate files on hosts, then
• Decode the certificate file and parse its ASN.1 structure, then
• Execute a query over the parsed structure to answer questions like:
  • Is the certificate self-signed?
  • Is the certificate using secure crypto. primitives?
  • Is the certificate explicitly disallowing the use of insecure crypto. primitives?

You could write a new module that imports the file module to list files that contain -----BEGIN CERTIFICATE----- and then process those files. However, scanning an entire file system takes too much time and typically gets killed before completion. It would succeed if you limit it to /etc though.