Agent-Skills.md

Agent Skills: Configuring Certificate Authority with OpenSSL

A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA +

UncategorizedID: plurigrid/asi/configuring-certificate-authority-with-openssl

Repository

plurigrid/asi
plurigridLicense: MIT
165

Install this agent skill to your local

pnpm dlx add-skill https://github.com/plurigrid/asi/tree/HEAD/plugins/asi/skills/configuring-certificate-authority-with-openssl

Skill Files

Browse the full folder contents for configuring-certificate-authority-with-openssl.

Download Skill

Loading file tree…

plugins/asi/skills/configuring-certificate-authority-with-openssl/SKILL.md

Skill Metadata

Name
configuring-certificate-authority-with-openssl
Description
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA +

Configuring Certificate Authority with OpenSSL

Overview

A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + Intermediate CA) using OpenSSL and the Python cryptography library, including CRL distribution, OCSP responder configuration, and certificate policy management.

When to Use

  • When deploying or configuring configuring certificate authority with openssl capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Create a Root CA with self-signed certificate
  • Create an Intermediate CA signed by the Root CA
  • Issue server and client certificates from the Intermediate CA
  • Configure Certificate Revocation Lists (CRLs)
  • Implement certificate policies and constraints
  • Build a complete PKI hierarchy programmatically

Key Concepts

CA Hierarchy

Root CA (offline, air-gapped)
  |
  +-- Intermediate CA (online, operational)
        |
        +-- Server Certificates
        +-- Client Certificates
        +-- Code Signing Certificates

Certificate Extensions

| Extension | Purpose | Critical | |-----------|---------|----------| | basicConstraints | CA:TRUE/FALSE, pathLenConstraint | Yes | | keyUsage | keyCertSign, cRLSign, digitalSignature | Yes | | extendedKeyUsage | serverAuth, clientAuth, codeSigning | No | | subjectKeyIdentifier | Hash of public key | No | | authorityKeyIdentifier | Issuer's key identifier | No | | crlDistributionPoints | URL to CRL | No | | authorityInfoAccess | OCSP responder URL | No |

Security Considerations

  • Root CA private key must be stored offline (air-gapped HSM)
  • Use minimum 4096-bit RSA or P-384 ECDSA for CA keys
  • Set path length constraints on intermediate CAs
  • Implement certificate policies (OIDs)
  • Enable CRL and OCSP for revocation checking
  • Audit all certificate issuance operations

Validation Criteria

  • [ ] Root CA self-signed certificate is valid
  • [ ] Intermediate CA certificate chains to Root CA
  • [ ] Issued certificates chain to Intermediate -> Root
  • [ ] Path length constraints are enforced
  • [ ] CRL is generated and accessible
  • [ ] Revoked certificates appear in CRL
  • [ ] Certificate policies are correctly embedded