Help Understanding X509 Database Timestamps

[offsides]

I'm writing my own reporting system to interface with the icinga X509 database to meet our internal needs, but I'm having trouble understanding how some of the timestamp fields are used (I see that they are unix timestamps in milliseconds). The valid_from and valid_to timestamps are pretty straightforward, and (almost) every table has a ctime entry which appears to be used to store the time the record was created (which isn't actually what unix ctime is, but whatever). But what isn't clear is the mtime entries in x509_certifcate and x509_target, as well as the last_scan field in x509_target.

First, x509_certificate: the mtime field appears to not be used, other than for imported trusted CA certs. I would have thought it would apply if a certificate gets updated (e.g, renewed), but instead a new record gets created for that new cert rather than modifying the existing record.

Second, x509_target. When I run a scan, I would assume that the last_scan timestamp would get updated. But it doesn't - the mtime timestamp does. Which feels very counter-intuitive.

Can someone with more knowledge of the inner workings of icinga x509 please explain to me the logic behind the different timestamps and when they get updated? Also, if the name of the database field doesn't match the actual (or implied) usage, perhaps it would be a good idea to rename the fields to something a little more meaningful?

Thanks in advance for any insights you can give me.