← 返回 Skills 市场

certificate-lifecycle-manager

Name: certificate-lifecycle-manager
Author: charlie-morrison

作者 charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install certificate-lifecycle-manager

功能描述

Manage TLS/SSL certificate lifecycle — discovery, monitoring, renewal planning, and rotation. Track certificates across services, alert before expiry, automa...

使用说明 (SKILL.md)

Certificate Lifecycle Manager

Stop getting paged at 3 AM about expired certificates. Discover all certificates across your infrastructure, track expiry dates, plan renewals, automate with ACME/Let's Encrypt, and verify deployment — so certificates rotate smoothly before anyone notices.

Use when: "certificate expiring", "find all certificates", "SSL renewal", "cert management", "certificate inventory", "Let's Encrypt automation", "cert rotation", or when an expired certificate causes an outage.

Commands

1. `discover` — Find All Certificates

Step 1: Scan Network Endpoints

# Scan known hosts for certificates
for host in $HOSTS; do
  for port in 443 8443 9443; do
    cert_info=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
      openssl x509 -noout -subject -enddate -issuer 2>/dev/null)
    if [ -n "$cert_info" ]; then
      echo "=== $host:$port ==="
      echo "$cert_info"
      # Days until expiry
      expiry=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
        openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
      days=$(( ($(date -d "$expiry" +%s) - $(date +%s)) / 86400 ))
      echo "Days until expiry: $days"
      echo
    fi
  done
done

Step 2: Scan Kubernetes Secrets

kubectl get secrets -A -o json | python3 -c "
import json, sys, base64, subprocess
secrets = json.load(sys.stdin)['items']
for s in secrets:
    if s['type'] == 'kubernetes.io/tls':
        ns = s['metadata']['namespace']
        name = s['metadata']['name']
        cert_b64 = s['data'].get('tls.crt', '')
        if cert_b64:
            cert_pem = base64.b64decode(cert_b64).decode()
            result = subprocess.run(
                ['openssl', 'x509', '-noout', '-subject', '-enddate'],
                input=cert_pem, capture_output=True, text=True
            )
            print(f'{ns}/{name}: {result.stdout.strip()}')
"

Step 3: Scan Local Certificate Files

# Find certificate files
find / -maxdepth 5 \( -name "*.pem" -o -name "*.crt" -o -name "*.cert" -o -name "*.cer" \) \
  -not -path "*/proc/*" -not -path "*/sys/*" 2>/dev/null | while read cert; do
  info=$(openssl x509 -in "$cert" -noout -subject -enddate 2>/dev/null)
  if [ -n "$info" ]; then
    echo "=== $cert ==="
    echo "$info"
  fi
done

Step 4: Generate Inventory

# Certificate Inventory

## Summary
- Certificates found: 23
- Expiring within 30 days: 2 🔴
- Expiring within 90 days: 5 🟡
- Healthy (>90 days): 16 🟢

## Critical (renew immediately)
| Host | CN/SAN | Issuer | Expires | Days Left |
|------|--------|--------|---------|-----------|
| api.example.com:443 | *.example.com | Let's Encrypt R3 | 2026-05-10 | 11 🔴 |
| internal.corp:8443 | internal.corp | Corp CA | 2026-05-15 | 16 🔴 |

## Warning (renew within 30 days)
| Host | CN/SAN | Issuer | Expires | Days Left |
|------|--------|--------|---------|-----------|
| staging.example.com | *.staging.example.com | Let's Encrypt | 2026-06-15 | 47 🟡 |

## Auto-Renewed (managed)
| Host | Provider | Auto-Renew | Last Renewed |
|------|----------|-----------|-------------|
| www.example.com | CloudFlare | ✅ | 2026-04-01 |
| app.example.com | AWS ACM | ✅ | 2026-03-15 |

## Manual Renewal Required
| Host | Reason |
|------|--------|
| internal.corp | Internal CA, no ACME support |
| vpn.example.com | Client certificate, manual CSR process |

2. `renew` — Automate Certificate Renewal

Let's Encrypt / ACME:

# Certbot renewal
certbot renew --dry-run 2>&1
certbot renew 2>&1

# Check renewal hooks
cat /etc/letsencrypt/renewal-hooks/deploy/*.sh 2>/dev/null

Manual renewal runbook:

Generate new CSR: openssl req -new -key server.key -out server.csr
Submit CSR to CA
Download new certificate
Verify chain: openssl verify -CAfile ca-bundle.crt server.crt
Deploy: update server config, restart service
Verify: openssl s_client -connect host:443

3. `monitor` — Set Up Expiry Alerts

# Prometheus blackbox exporter config
# Alerts at 30, 14, 7, 1 days before expiry
cat \x3C\x3C'YAML'
groups:
  - name: certificate-expiry
    rules:
      - alert: CertExpiringIn30Days
        expr: probe_ssl_earliest_cert_expiry - time() \x3C 86400 * 30
        labels: { severity: warning }
      - alert: CertExpiringIn7Days
        expr: probe_ssl_earliest_cert_expiry - time() \x3C 86400 * 7
        labels: { severity: critical }
      - alert: CertExpired
        expr: probe_ssl_earliest_cert_expiry - time() \x3C 0
        labels: { severity: page }
YAML

4. `verify` — Post-Renewal Verification

After deploying new certificate:

# Verify certificate is deployed correctly
echo | openssl s_client -connect "$HOST:443" -servername "$HOST" 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates -fingerprint

# Check chain completeness
echo | openssl s_client -connect "$HOST:443" -servername "$HOST" -showcerts 2>/dev/null | \
  grep -c "BEGIN CERTIFICATE"
# Should be 2-3 (leaf + intermediate(s))

# Verify no mixed content or pinning issues
curl -sI "https://$HOST" | grep -i "strict-transport\|public-key-pins"

安全使用建议

This skill's behavior is coherent with certificate lifecycle management, but it expects (without declaring) broad access to your hosts, Kubernetes cluster secrets, and local filesystem. Before installing or running it: 1) Treat it as high-privilege — run in a controlled environment or staging account first. 2) Verify required tools and declare them (openssl, kubectl, python3, certbot, curl). 3) Limit scope: provide an explicit host list and/or restrict kube namespaces instead of allowing cluster-wide secret reads. 4) Avoid running 'find /' as root; restrict paths to known certificate locations to avoid exposing private keys. 5) Check that kubectl context and kubeconfig are the intended ones and that role-based access prevents reading unrelated secrets. 6) Audit certbot and renewal-hook commands before running to avoid unexpected execution. 7) If you expect autonomous invocation, restrict the skill's permissions or disable autonomous model invocation until you trust it. If you cannot verify these points, treat the skill as risky and do not grant it cluster or root-level access.

功能分析

Type: OpenClaw Skill Name: certificate-lifecycle-manager Version: 1.0.0 The certificate-lifecycle-manager skill bundle provides standard administrative tools for discovering, renewing, and monitoring SSL/TLS certificates. It utilizes common utilities such as openssl, kubectl, and certbot to perform its stated functions, and the logic in SKILL.md is transparent and well-aligned with the tool's purpose without any indicators of malicious intent or data exfiltration.

能力评估

⚠ Purpose & Capability

The SKILL.md clearly needs tools and access consistent with cert lifecycle tasks (openssl, kubectl, python3, certbot, curl, ability to read filesystem and kube secrets), but the registry metadata declares no required binaries, env vars, or config paths. That mismatch (no declared prerequisites while instructions rely on many binaries and credentials) is incoherent and should be justified.

⚠ Instruction Scope

Instructions perform broad discovery: network scans of hosts/ports, find / across the filesystem, and kubectl get secrets -A with decoding of tls secrets. These actions will enumerate potentially sensitive material (private keys in files, all cluster TLS secrets) — while relevant to 'discover certificates', this level of access is high-risk and should be explicit and scoped (e.g., specific namespaces, paths, or a limited hosts list). The SKILL.md also references environment variables ($HOSTS, $HOST) that are not declared.

✓ Install Mechanism

This is instruction-only with no install steps or downloaded code, which reduces risk of arbitrary remote code being written/executed. However, runtime commands will call system binaries and tools that must exist and may require elevated privileges.

⚠ Credentials

No environment variables, credentials, or config paths are declared, but the instructions implicitly require: a populated $HOSTS/$HOST, access to kubectl context (kubeconfig with permission to read secrets cluster-wide), and likely root or elevated filesystem access for find / and certbot operations. Requesting cluster-wide secret reads and full filesystem scans is disproportionate unless the user explicitly intends that scope.

ℹ Persistence & Privilege

The skill is not marked 'always' and is user-invocable only; model invocation is allowed (normal). Because the instructions require broad, privileged access when executed, allowing autonomous invocation would increase risk — but autonomous invocation alone is not being flagged as unusual here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install certificate-lifecycle-manager
安装完成后，直接呼叫该 Skill 的名称或使用 /certificate-lifecycle-manager 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of certificate-lifecycle-manager — a tool to manage TLS/SSL certificate discovery, monitoring, renewal planning, and rotation. - Discover certificates across network endpoints, Kubernetes secrets, and local files. - Generate a comprehensive certificate inventory and highlight expiring/expired certificates. - Automate certificate renewal (ACME/Let’s Encrypt) or provide manual renewal runbooks. - Set up monitoring and expiry alerts with Prometheus. - Verify certificate deployment and chain integrity after rotation.

元数据

Slug certificate-lifecycle-manager

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题