Agent skill
ssl-certs
Manage SSL/TLS certificates and diagnose certificate issues. Use when the user says "cert expiring", "SSL error", "certificate problem", "renew certificate", "check certificate", "HTTPS not working", or asks about TLS/SSL.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/data/ssl-certs
SKILL.md
SSL/TLS Certificates
Manage certificates, diagnose SSL issues, and handle renewals.
Instructions
- Identify the issue type (expiring, invalid, chain problem)
- Use appropriate diagnostic commands
- Determine root cause
- Provide remediation steps
Check certificate expiry
bash
# Local certificate file
openssl x509 -enddate -noout -in cert.pem
# Remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Check all certs expiring within 30 days
find /etc/letsencrypt/live -name "*.pem" -exec sh -c 'echo "{}:"; openssl x509 -enddate -noout -in "{}"' \;
Certificate information
bash
# Full certificate details
openssl x509 -text -noout -in cert.pem
# Subject and issuer
openssl x509 -subject -issuer -noout -in cert.pem
# SANs (Subject Alternative Names)
openssl x509 -noout -ext subjectAltName -in cert.pem
Diagnose SSL connection
bash
# Full connection debug
openssl s_client -connect example.com:443 -servername example.com
# Check specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
# Verify certificate chain
openssl s_client -connect example.com:443 -showcerts
Common issues
| Error | Cause | Solution |
|---|---|---|
| certificate has expired | Cert past end date | Renew certificate |
| unable to verify | Missing intermediate | Add chain certificates |
| hostname mismatch | Wrong cert or missing SAN | Get cert with correct names |
| self-signed certificate | Not from trusted CA | Use Let's Encrypt or commercial CA |
Let's Encrypt management
bash
# Check certbot certificates
certbot certificates
# Renew all certificates
certbot renew --dry-run
certbot renew
# Force renewal
certbot renew --force-renewal
# Get new certificate
certbot certonly --nginx -d example.com -d www.example.com
Verify chain
bash
# Check chain is complete
openssl verify -CAfile chain.pem cert.pem
# Download and verify chain
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print}' > chain.pem
Rules
- MUST check expiry date first for any cert issue
- MUST verify the full certificate chain
- MUST check SANs match the domain being accessed
- Never delete certificates without backup
- Always test with
--dry-runbefore certbot renew - Always reload/restart web server after cert changes
Didn't find tool you were looking for?