← Back to Skills Marketplace
charlie-morrison

certificate-lifecycle-manager

by charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
28
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install certificate-lifecycle-manager
Description
Manage TLS/SSL certificate lifecycle — discovery, monitoring, renewal planning, and rotation. Track certificates across services, alert before expiry, automa...
README (SKILL.md)

Certificate Lifecycle Manager

Stop getting paged at 3 AM about expired certificates. Discover all certificates across your infrastructure, track expiry dates, plan renewals, automate with ACME/Let's Encrypt, and verify deployment — so certificates rotate smoothly before anyone notices.

Use when: "certificate expiring", "find all certificates", "SSL renewal", "cert management", "certificate inventory", "Let's Encrypt automation", "cert rotation", or when an expired certificate causes an outage.

Commands

1. discover — Find All Certificates

Step 1: Scan Network Endpoints

# Scan known hosts for certificates
for host in $HOSTS; do
  for port in 443 8443 9443; do
    cert_info=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
      openssl x509 -noout -subject -enddate -issuer 2>/dev/null)
    if [ -n "$cert_info" ]; then
      echo "=== $host:$port ==="
      echo "$cert_info"
      # Days until expiry
      expiry=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
        openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
      days=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 ))
      echo "Days until expiry: $days"
      echo
    fi
  done
done

Step 2: Scan Kubernetes Secrets

kubectl get secrets -A -o json | python3 -c "
import json, sys, base64, subprocess
secrets = json.load(sys.stdin)['items']
for s in secrets:
    if s['type'] == 'kubernetes.io/tls':
        ns = s['metadata']['namespace']
        name = s['metadata']['name']
        cert_b64 = s['data'].get('tls.crt', '')
        if cert_b64:
            cert_pem = base64.b64decode(cert_b64).decode()
            result = subprocess.run(
                ['openssl', 'x509', '-noout', '-subject', '-enddate'],
                input=cert_pem, capture_output=True, text=True
            )
            print(f'{ns}/{name}: {result.stdout.strip()}')
"

Step 3: Scan Local Certificate Files

# Find certificate files
find / -maxdepth 5 \( -name "*.pem" -o -name "*.crt" -o -name "*.cert" -o -name "*.cer" \) \
  -not -path "*/proc/*" -not -path "*/sys/*" 2>/dev/null | while read cert; do
  info=$(openssl x509 -in "$cert" -noout -subject -enddate 2>/dev/null)
  if [ -n "$info" ]; then
    echo "=== $cert ==="
    echo "$info"
  fi
done

Step 4: Generate Inventory

# Certificate Inventory

## Summary
- Certificates found: 23
- Expiring within 30 days: 2 🔴
- Expiring within 90 days: 5 🟡
- Healthy (>90 days): 16 🟢

## Critical (renew immediately)
| Host | CN/SAN | Issuer | Expires | Days Left |
|------|--------|--------|---------|-----------|
| api.example.com:443 | *.example.com | Let's Encrypt R3 | 2026-05-10 | 11 🔴 |
| internal.corp:8443 | internal.corp | Corp CA | 2026-05-15 | 16 🔴 |

## Warning (renew within 30 days)
| Host | CN/SAN | Issuer | Expires | Days Left |
|------|--------|--------|---------|-----------|
| staging.example.com | *.staging.example.com | Let's Encrypt | 2026-06-15 | 47 🟡 |

## Auto-Renewed (managed)
| Host | Provider | Auto-Renew | Last Renewed |
|------|----------|-----------|-------------|
| www.example.com | CloudFlare | ✅ | 2026-04-01 |
| app.example.com | AWS ACM | ✅ | 2026-03-15 |

## Manual Renewal Required
| Host | Reason |
|------|--------|
| internal.corp | Internal CA, no ACME support |
| vpn.example.com | Client certificate, manual CSR process |

2. renew — Automate Certificate Renewal

Let's Encrypt / ACME:

# Certbot renewal
certbot renew --dry-run 2>&1
certbot renew 2>&1

# Check renewal hooks
cat /etc/letsencrypt/renewal-hooks/deploy/*.sh 2>/dev/null

Manual renewal runbook:

  1. Generate new CSR: openssl req -new -key server.key -out server.csr
  2. Submit CSR to CA
  3. Download new certificate
  4. Verify chain: openssl verify -CAfile ca-bundle.crt server.crt
  5. Deploy: update server config, restart service
  6. Verify: openssl s_client -connect host:443

3. monitor — Set Up Expiry Alerts

# Prometheus blackbox exporter config
# Alerts at 30, 14, 7, 1 days before expiry
cat \x3C\x3C'YAML'
groups:
  - name: certificate-expiry
    rules:
      - alert: CertExpiringIn30Days
        expr: probe_ssl_earliest_cert_expiry - time() \x3C 86400 * 30
        labels: { severity: warning }
      - alert: CertExpiringIn7Days
        expr: probe_ssl_earliest_cert_expiry - time() \x3C 86400 * 7
        labels: { severity: critical }
      - alert: CertExpired
        expr: probe_ssl_earliest_cert_expiry - time() \x3C 0
        labels: { severity: page }
YAML

4. verify — Post-Renewal Verification

After deploying new certificate:

# Verify certificate is deployed correctly
echo | openssl s_client -connect "$HOST:443" -servername "$HOST" 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates -fingerprint

# Check chain completeness
echo | openssl s_client -connect "$HOST:443" -servername "$HOST" -showcerts 2>/dev/null | \
  grep -c "BEGIN CERTIFICATE"
# Should be 2-3 (leaf + intermediate(s))

# Verify no mixed content or pinning issues
curl -sI "https://$HOST" | grep -i "strict-transport\|public-key-pins"
Usage Guidance
This skill's behavior is coherent with certificate lifecycle management, but it expects (without declaring) broad access to your hosts, Kubernetes cluster secrets, and local filesystem. Before installing or running it: 1) Treat it as high-privilege — run in a controlled environment or staging account first. 2) Verify required tools and declare them (openssl, kubectl, python3, certbot, curl). 3) Limit scope: provide an explicit host list and/or restrict kube namespaces instead of allowing cluster-wide secret reads. 4) Avoid running 'find /' as root; restrict paths to known certificate locations to avoid exposing private keys. 5) Check that kubectl context and kubeconfig are the intended ones and that role-based access prevents reading unrelated secrets. 6) Audit certbot and renewal-hook commands before running to avoid unexpected execution. 7) If you expect autonomous invocation, restrict the skill's permissions or disable autonomous model invocation until you trust it. If you cannot verify these points, treat the skill as risky and do not grant it cluster or root-level access.
Capability Analysis
Type: OpenClaw Skill Name: certificate-lifecycle-manager Version: 1.0.0 The certificate-lifecycle-manager skill bundle provides standard administrative tools for discovering, renewing, and monitoring SSL/TLS certificates. It utilizes common utilities such as openssl, kubectl, and certbot to perform its stated functions, and the logic in SKILL.md is transparent and well-aligned with the tool's purpose without any indicators of malicious intent or data exfiltration.
Capability Assessment
Purpose & Capability
The SKILL.md clearly needs tools and access consistent with cert lifecycle tasks (openssl, kubectl, python3, certbot, curl, ability to read filesystem and kube secrets), but the registry metadata declares no required binaries, env vars, or config paths. That mismatch (no declared prerequisites while instructions rely on many binaries and credentials) is incoherent and should be justified.
Instruction Scope
Instructions perform broad discovery: network scans of hosts/ports, find / across the filesystem, and kubectl get secrets -A with decoding of tls secrets. These actions will enumerate potentially sensitive material (private keys in files, all cluster TLS secrets) — while relevant to 'discover certificates', this level of access is high-risk and should be explicit and scoped (e.g., specific namespaces, paths, or a limited hosts list). The SKILL.md also references environment variables ($HOSTS, $HOST) that are not declared.
Install Mechanism
This is instruction-only with no install steps or downloaded code, which reduces risk of arbitrary remote code being written/executed. However, runtime commands will call system binaries and tools that must exist and may require elevated privileges.
Credentials
No environment variables, credentials, or config paths are declared, but the instructions implicitly require: a populated $HOSTS/$HOST, access to kubectl context (kubeconfig with permission to read secrets cluster-wide), and likely root or elevated filesystem access for find / and certbot operations. Requesting cluster-wide secret reads and full filesystem scans is disproportionate unless the user explicitly intends that scope.
Persistence & Privilege
The skill is not marked 'always' and is user-invocable only; model invocation is allowed (normal). Because the instructions require broad, privileged access when executed, allowing autonomous invocation would increase risk — but autonomous invocation alone is not being flagged as unusual here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install certificate-lifecycle-manager
  3. After installation, invoke the skill by name or use /certificate-lifecycle-manager
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of certificate-lifecycle-manager — a tool to manage TLS/SSL certificate discovery, monitoring, renewal planning, and rotation. - Discover certificates across network endpoints, Kubernetes secrets, and local files. - Generate a comprehensive certificate inventory and highlight expiring/expired certificates. - Automate certificate renewal (ACME/Let’s Encrypt) or provide manual renewal runbooks. - Set up monitoring and expiry alerts with Prometheus. - Verify certificate deployment and chain integrity after rotation.
Metadata
Slug certificate-lifecycle-manager
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is certificate-lifecycle-manager?

Manage TLS/SSL certificate lifecycle — discovery, monitoring, renewal planning, and rotation. Track certificates across services, alert before expiry, automa... It is an AI Agent Skill for Claude Code / OpenClaw, with 28 downloads so far.

How do I install certificate-lifecycle-manager?

Run "/install certificate-lifecycle-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is certificate-lifecycle-manager free?

Yes, certificate-lifecycle-manager is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does certificate-lifecycle-manager support?

certificate-lifecycle-manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created certificate-lifecycle-manager?

It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments