performing-ssl-certificate-lifecycle-management

$npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/performing-ssl-certificate-lifecycle-management

Automate X.509 certificate requests, renewals, and revocations via ACME.

  • Prevents outages caused by expired or mismanaged SSL certificates.
  • Integrates with Python libraries and ACME protocol tools.
  • Executes CSRs and validations based on security assessment triggers.
  • Delivers actionable status reports on certificate health and lifecycle.

SKILL.md

.github/skills/performing-ssl-certificate-lifecycle-managementView on GitHub ↗
---
name: performing-ssl-certificate-lifecycle-management
description: SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading
domain: cybersecurity
subdomain: cryptography
tags: [cryptography, ssl, certificates, pki, tls, key-management]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Performing SSL Certificate Lifecycle Management

## Overview

SSL/TLS certificate lifecycle management encompasses the full process of requesting, issuing, deploying, monitoring, renewing, and revoking X.509 certificates. Poor certificate management is a leading cause of outages and security incidents. This skill covers automating the entire certificate lifecycle using Python and ACME protocol tools.


## When to Use

- When conducting security assessments that involve performing ssl certificate lifecycle management
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing

## Prerequisites

- Familiarity with cryptography concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Objectives

- Generate Certificate Signing Requests (CSRs) programmatically
- Parse and validate X.509 certificates
- Monitor certificate expiration across infrastructure
- Automate renewal using ACME protocol (Let's Encrypt)
- Implement certificate revocation checking (CRL and OCSP)
- Track certificate inventory across multiple domains

## Key Concepts

### Certificate Lifecycle Stages

1. **Request**: Generate key pair and CSR
2. **Issuance**: CA validates and issues certificate
3. **Deployment**: Install certificate on servers
4. **Monitoring**: Track expiration and health
5. **Renewal**: Request new certificate before expiry
6. **Revocation**: Invalidate compromised certificates

### Certificate Types

| Type | Validation | Use Case |
|------|-----------|----------|
| DV (Domain Validation) | Domain ownership | Websites, APIs |
| OV (Organization Validation) | Domain + org identity | Business sites |
| EV (Extended Validation) | Full legal verification | E-commerce, banking |
| Wildcard | *.domain.com | Multi-subdomain |
| SAN/UCC | Multiple domains | Multi-domain hosting |

## Security Considerations

- Set up automated monitoring for all certificates
- Use ECDSA (P-256) certificates for better performance over RSA
- Enable OCSP stapling on all servers
- Implement Certificate Transparency log monitoring
- Maintain inventory of all certificates and their locations
- Plan for CA compromise scenarios (key pinning, backup CAs)

## Validation Criteria

- [ ] CSR generation produces valid PKCS#10 request
- [ ] Certificate parsing extracts all relevant fields
- [ ] Expiration monitoring detects certificates within threshold
- [ ] Certificate chain validation verifies trust path
- [ ] OCSP checking detects revoked certificates
- [ ] Certificate inventory tracks all deployed certificates

More from mukul975/Anthropic-Cybersecurity-Skills

SkillDescription
acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
analyzing-api-gateway-access-logs>
analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
analyzing-azure-activity-logs-for-threats>
analyzing-bootkit-and-rootkit-samples>
analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.