← Back to Skills Marketplace
ohernandez-dev-blossom

Cert Decode

by Omar Hernandez · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
140
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install cert-decode
Description
Decode and inspect X.509 SSL/TLS certificates. Use when the user asks to read a certificate, parse a PEM file, check certificate expiry, inspect a TLS cert,...
README (SKILL.md)

Cert Decode

Parse and display human-readable details from X.509 PEM certificates using openssl.

Input

  • PEM certificate content (text starting with -----BEGIN CERTIFICATE-----) pasted directly, OR
  • Path to a .pem or .crt file, OR
  • Hostname to fetch the live certificate from (e.g., example.com)

Output

  • Subject (CN, O, OU, C)
  • Issuer (CA name, organization)
  • Validity: Not Before / Not After (expiry date)
  • Serial number
  • Subject Alternative Names (SANs)
  • Public key algorithm and size
  • Signature algorithm
  • Whether the cert is expired or expiring soon

Instructions

  1. Determine input type: pasted PEM text, file path, or hostname.

  2. From pasted PEM text: Write the PEM content to a temp file, then:

    echo "PEM_CONTENT" | openssl x509 -text -noout

    Or use process substitution if available.

  3. From a file path:

    openssl x509 -text -noout -in /path/to/cert.pem

  4. From a live hostname (port 443):

    echo | openssl s_client -connect HOSTNAME:443 -servername HOSTNAME 2>/dev/null | openssl x509 -text -noout

  5. Extract and present key fields from the openssl x509 -text output in a clean, readable format:

    • Subject: parse Subject: line
    • Issuer: parse Issuer: line
    • Valid From: parse Not Before:
    • Valid Until: parse Not After :
    • Serial: parse Serial Number:
    • SANs: parse X509v3 Subject Alternative Name: block for all DNS: and IP Address: entries
    • Key: parse Public Key Algorithm: and key size (e.g., RSA Public-Key: (2048 bit))
    • Signature Algorithm: parse Signature Algorithm:

  6. Calculate whether the certificate is:

    • Already expired (Not After is in the past)
    • Expiring within 30 days (warn the user)
    • Valid (show days remaining)

  7. If openssl is not found, tell the user:

    "This skill requires openssl. Install with: brew install openssl (macOS) or sudo apt install openssl (Linux)."

Examples

From file: Command: openssl x509 -text -noout -in /etc/ssl/cert.pem

From hostname: Command: echo | openssl s_client -connect github.com:443 -servername github.com 2>/dev/null | openssl x509 -text -noout

Sample parsed output:

Subject:    CN=github.com, O=GitHub, Inc., C=US
Issuer:     CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1, O=DigiCert Inc, C=US
Valid From: 2024-03-07
Valid Until: 2025-03-06  ⚠ Expires in 14 days
Serial:     0a:bc:12:...
SANs:       github.com, www.github.com
Key:        EC 256-bit (prime256v1)
Signature:  ecdsa-with-SHA384

Error Handling

  • openssl not found → tell user to install it
  • Input is not valid PEM → openssl will error with unable to load certificate; tell user the input does not appear to be a valid PEM certificate
  • Hostname unreachable → openssl s_client will fail; report connection error and suggest checking the hostname or network
  • DER format instead of PEM → tell user to convert first with: openssl x509 -inform DER -in cert.der -out cert.pem
  • Certificate chain (multiple certs) → only the first cert is parsed; inform user if they need a specific cert from the chain
Usage Guidance
This skill runs local openssl commands and may open an outbound TLS connection to a hostname you provide to fetch a live cert. It does not request credentials or persist configuration. Before using it: (1) do not paste or provide private keys—only certificate (public) material; (2) be aware that providing a hostname causes a network connection to that host on port 443; (3) ensure openssl is installed from your OS package manager (brew/apt) if you follow the install hint; and (4) review the SKILL.md if you want to confirm exactly which commands will run locally.
Capability Analysis
Type: OpenClaw Skill Name: cert-decode Version: 1.0.0 The skill is a straightforward utility for decoding X.509 certificates using the system's `openssl` binary. The instructions in `SKILL.md` correctly describe how to parse PEM data from strings, files, or remote hostnames (via `s_client`) and extract standard fields like Subject, Issuer, and Expiry. No evidence of malicious intent, data exfiltration, or prompt injection was found.
Capability Assessment
Purpose & Capability
Name/description (decoding X.509 certs) match the declared requirement of the openssl binary and the SKILL.md instructions; no unrelated binaries, env vars, or config paths are requested.
Instruction Scope
Instructions only describe writing/passing certificate text, reading a user-specified certificate file, or fetching a cert from a hostname via openssl s_client; they do not direct reading other system files, other env vars, or sending data to unexpected external endpoints. They do advise connecting to target hostnames on port 443, which is expected for live-certificate fetching.
Install Mechanism
No install spec (instruction-only). This is low risk; the SKILL.md merely instructs the user how to install openssl via standard package managers if missing.
Credentials
No credentials or environment variables are requested; the skill only needs the openssl binary and optional access to user-provided certificate files or hostnames—proportionate to its functionality.
Persistence & Privilege
always:false and no special privileges or persistent system modifications are requested. The skill does not attempt to modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install cert-decode
  3. After installation, invoke the skill by name or use /cert-decode
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of cert-decode: Decode and inspect X.509 SSL/TLS certificates using openssl. - Accepts PEM content, file path, or hostname as input. - Parses and presents key certificate details (subject, issuer, validity, serial, SANs, key, signature algorithm). - Checks certificate expiry status; warns about expiration or shows days remaining. - Handles errors for missing openssl, invalid input, unsupported formats, connection issues, and certificate chains. - Clear instructions and example commands included.
Metadata
Slug cert-decode
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Cert Decode?

Decode and inspect X.509 SSL/TLS certificates. Use when the user asks to read a certificate, parse a PEM file, check certificate expiry, inspect a TLS cert,... It is an AI Agent Skill for Claude Code / OpenClaw, with 140 downloads so far.

How do I install Cert Decode?

Run "/install cert-decode" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Cert Decode free?

Yes, Cert Decode is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Cert Decode support?

Cert Decode is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Cert Decode?

It is built and maintained by Omar Hernandez (@ohernandez-dev-blossom); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments