Agent-Skills.md

Agent Skills: Performing SSL Certificate Lifecycle Management

SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading

UncategorizedID: plurigrid/asi/performing-ssl-certificate-lifecycle-management

Repository

plurigrid/asi
plurigridLicense: MIT
165

Install this agent skill to your local

pnpm dlx add-skill https://github.com/plurigrid/asi/tree/HEAD/plugins/asi/skills/performing-ssl-certificate-lifecycle-management

Skill Files

Browse the full folder contents for performing-ssl-certificate-lifecycle-management.

Download Skill

Loading file tree…

plugins/asi/skills/performing-ssl-certificate-lifecycle-management/SKILL.md

Skill Metadata

Name
performing-ssl-certificate-lifecycle-management
Description
SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading

Performing SSL Certificate Lifecycle Management

Overview

SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading cause of outages and security incidents. This skill covers automating the entire certificate lifecycle using Python and ACME protocol tools.

When to Use

  • When conducting security assessments that involve performing ssl certificate lifecycle management
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Familiarity with cryptography concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Objectives

  • Generate Certificate Signing Requests (CSRs) programmatically
  • Parse and validate X.509 certificates
  • Monitor certificate expiration across infrastructure
  • Automate renewal using ACME protocol (Let's Encrypt)
  • Implement certificate revocation checking (CRL and OCSP)
  • Track certificate inventory across multiple domains

Key Concepts

Certificate Lifecycle Stages

  1. Request: Generate key pair and CSR
  2. Issuance: CA validates and issues certificate
  3. Deployment: Install certificate on servers
  4. Monitoring: Track expiration and health
  5. Renewal: Request new certificate before expiry
  6. Revocation: Invalidate compromised certificates

Certificate Types

| Type | Validation | Use Case | |------|-----------|----------| | DV (Domain Validation) | Domain ownership | Websites, APIs | | OV (Organization Validation) | Domain + org identity | Business sites | | EV (Extended Validation) | Full legal verification | E-commerce, banking | | Wildcard | *.domain.com | Multi-subdomain | | SAN/UCC | Multiple domains | Multi-domain hosting |

Security Considerations

  • Set up automated monitoring for all certificates
  • Use ECDSA (P-256) certificates for better performance over RSA
  • Enable OCSP stapling on all servers
  • Implement Certificate Transparency log monitoring
  • Maintain inventory of all certificates and their locations
  • Plan for CA compromise scenarios (key pinning, backup CAs)

Validation Criteria

  • [ ] CSR generation produces valid PKCS#10 request
  • [ ] Certificate parsing extracts all relevant fields
  • [ ] Expiration monitoring detects certificates within threshold
  • [ ] Certificate chain validation verifies trust path
  • [ ] OCSP checking detects revoked certificates
  • [ ] Certificate inventory tracks all deployed certificates