Skip to content

cyberspacesec/certificate-skills

Repository files navigation

cert-skills 🔒

AI-Native Certificate Security Toolkit — Skills · CLI · MCP · Go SDK

A comprehensive SSL/TLS certificate security toolkit designed for AI agents, security researchers, and cyberspace mapping. Four integration modes: Skills (49 executable prompts + 3 workflows), CLI (52 commands), MCP Server (53 tools), Go SDK (50+ functions).

Go Version License MCP Release

English | 简体中文


For AI Agents — Start Here

If you are an AI agent reading this to decide which tool to use: install Skills + MCP together. Skills tell you when and which tool; MCP executes it. This combo is the recommended integration path.

Quick Decision: Which Mode Should I Use?

Your goal Use
I'm an AI agent in Claude Code / Cursor and want auto-triggered tool selection Skills (copy .claude/skills/)
I'm an AI agent with MCP support and want direct tool calls MCP Server (cert-skills-mcp)
Best: I want the agent to pick the right tool AND execute it Skills + MCP
I'm a human or script running one-off checks CLI (cert-skills)
I'm embedding cert analysis in a Go program Go SDK (pkg)

One-Click Install (Skills + MCP + CLI)

# 1. CLI + MCP server binary
curl -sL https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_linux_x86_64.tar.gz | tar xz
sudo mv cert-skills cert-skills-mcp /usr/local/bin/

# 2. Skills — copy into your project so your AI agent auto-discovers them
git clone https://github.com/cyberspacesec/certificate-skills.git
cp -r certificate-skills/.claude/skills/ /your/project/.claude/skills/

MCP Server Config (Claude Code)

{
  "mcpServers": {
    "certificate-skills": {
      "command": "cert-skills-mcp",
      "args": []
    }
  }
}

Skills provide the prompt intelligence; MCP provides the tool execution. Together they let the agent reason about when to run a cert check and then run it without a round-trip to the shell.


What Can This Toolkit Do?

Task → Tool Map (Agent Quick Reference)

Task CLI command MCP tool Skill
Score a site's TLS security 0-100 analyze <domain> cert_analyze_security certificate-analysis
18 cert-level security checks scan-cert-security <domain> cert_scan_cert_security cert-security-scanner
11 TLS vulnerability scans (Heartbleed…) scan-vulns <domain> cert_scan_vulnerabilities tls-vulnerability-scanner
Get cert info / fingerprints info / fingerprint cert_info / cert_fingerprint certificate-info / certificate-fingerprint
Parse a local .pem/.crt/.der parse <file> cert_parse certificate-parse
Compare two certs compare -1 a -2 b cert_compare certificate-compare
Convert PEM↔DER, PKCS12, P7B, chain convert <sub>
Generate self-signed cert / CSR generate / generate-csr cert_generate / cert_generate_csr certificate-generator / certificate-csr
Sign leaf cert with a CA sign-cert cert_sign_certificate ca-signer
Build multi-tier PKI generate-intermediate-ca cert_generate_intermediate_ca intermediate-ca-generator
Generate / parse CRL generate-crl / parse-crl crl-generator / crl-parser
Check revocation (OCSP/CRL) check-revocation cert_check_revocation certificate-revocation
Check distrusted CA check-distrusted-ca cert_check_distrusted_ca distrusted-ca-checker
Check OCSP Must-Staple / key usage / serial entropy / SCT / CAA / HSTS check-* cert_check_* see Compliance section
Search CT logs / enumerate subdomains search-ct / ct-enumerate cert_search_ct / cert_ct_enumerate certificate-transparency / ct-subdomain-enumerator
JARM / JA3 fingerprinting jarm / ja3 cert_jarm / cert_ja3 jarm-fingerprint / ja3-fingerprint
Match fingerprints vs known services match-fp / fp-db cert_match_fingerprints / cert_fingerprint_db_* fingerprint-db
Batch collect certs (hosts/CIDR) map-scan cert_map_scan map-scan
Offline mapping analysis map-parse cert_map_parse map-parse
Lifecycle timeline map-timeline cert_map_timeline map-timeline
Detect cert change / rotation detect-change cert_detect_change certificate-change-detection
EV detection / wildcard / hostname / chain detect-ev / check-wildcard / verify-hostname / verify-chain cert_* ev-detector / wildcard-checker / hostname-verifier / chain-verifier

Every CLI command supports -o json for machine-readable output. Batch commands (batch-analyze, expiry-monitor, map-scan) also support -o csv.

Workflow Playbooks (CLI-Composed)

Three progressive-disclosure workflow skills compose multiple commands into end-to-end procedures:

  • workflow-multi-tier-pki — Root CA → Intermediate CA → leaf cert → CRL revocation → chain verification
  • workflow-cyberspace-mapping-sweep — Batch collect (map-scan) → fingerprint + match (jarm/ja3/match-fp) → track rotation (detect-change/map-timeline)
  • workflow-incident-response-cert-forensics — Triage suspicious cert: identify → attribute via fingerprints → check trust → trace CT history

Installation

Pre-built Binaries

Download from GitHub Releases:

# Linux x86_64
curl -sL https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_linux_x86_64.tar.gz | tar xz && sudo mv cert-skills cert-skills-mcp /usr/local/bin/

# macOS Apple Silicon
curl -sL https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_darwin_aarch64.tar.gz | tar xz && sudo mv cert-skills cert-skills-mcp /usr/local/bin/

# Windows (PowerShell)
Invoke-WebRequest -Uri "https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_windows_x86_64.zip" -OutFile "cert-skills.zip"; Expand-Archive cert-skills.zip

9 platforms: Linux (x86_64, ARM64, ARM v7, i386), macOS (Apple Silicon, Intel), Windows (x86_64, i386), FreeBSD (x86_64). Two binaries per platform: cert-skills (CLI) and cert-skills-mcp (MCP server).

Docker

docker pull ghcr.io/cyberspacesec/certificate-skills:latest
docker run --rm ghcr.io/cyberspacesec/certificate-skills:latest analyze google.com

Build from Source

git clone https://github.com/cyberspacesec/certificate-skills.git
cd certificate-skills
go build -trimpath -ldflags "-s -w" -o cert-skills ./cmd/
go build -trimpath -ldflags "-s -w" -o cert-skills-mcp ./cmd/mcp/

Go Module

go get github.com/cyberspacesec/certificate-skills/pkg

Go SDK

Online Analysis (requires network)

import pkg "github.com/cyberspacesec/certificate-skills/pkg"

result, err := pkg.AnalyzeSecurity("google.com")           // Security score 0-100
certResult, err := pkg.ScanCertSecurity("google.com")       // 18 cert checks
vulnResult, err := pkg.VulnerabilityScan("google.com")      // 11 vuln scans
jarmResult, err := pkg.JARMScan("google.com")               // JARM fingerprint
ctResult, err := pkg.CTSearch("example.com")                // CT log search
revResult, err := pkg.CheckRevocation("example.com")        // OCSP/CRL revocation

Offline Analysis (no network required)

cert, _ := pkg.GetCertFromFile("cert.pem")

keyUsage := pkg.CheckKeyUsageFromCert(cert)                   // Key usage compliance
policy := pkg.CheckPolicyFromCert(cert)                       // Policy OIDs (DV/OV/EV)
security, _ := pkg.ScanCertSecurityFromChain(cert, host, nil) // 18 cert checks
distrusted := pkg.CheckDistrustedCAFromCert(chain)            // Distrusted CA
constraints := pkg.CheckNameConstraintsFromCert(chain)        // Name constraints

Structured Error Handling

import "errors"

result, err := pkg.AnalyzeSecurity("unreachable.example.com")
if errors.Is(err, pkg.ErrConnectionFailed) { /* connection failure */ }
if errors.Is(err, pkg.ErrDNSResolution) { /* DNS failure */ }
if errors.Is(err, pkg.ErrCertParseFailed) { /* parse error */ }

Security Checks Catalog

Certificate Security (CERT-001 to CERT-018)

Code Check Severity
CERT-001 Weak Signature Algorithm High
CERT-002 Short RSA Key (<2048) High
CERT-003 Weak ECDSA Curve Medium
CERT-004 Missing SAN Extension High
CERT-005 Hostname Mismatch Critical
CERT-006 Excessive Validity Medium
CERT-007 Self-Signed Certificate Medium
CERT-008 Certificate Expired Critical
CERT-009 Certificate Expiring Soon High
CERT-010 CN Not in SANs Low
CERT-011 Wildcard Certificate Risk Low
CERT-012 Internal Name High
CERT-013 Untrusted Chain High
CERT-014 Distrusted CA Critical
CERT-015 OCSP Must-Staple Violation High
CERT-016 Key Usage Non-Compliance High
CERT-017 Low Serial Entropy Medium
CERT-018 Name Constraint Violation High

TLS Vulnerability Scans

Heartbleed (CVE-2014-0160) · POODLE (CVE-2014-3566) · ROBOT (CVE-2017-17382) · CCS Injection (CVE-2014-0224) · FREAK (CVE-2015-0204) · Logjam (CVE-2015-4000) · Sweet32 (CVE-2016-2183) · BEAST (CVE-2011-3389) · CRIME (CVE-2012-4929) · Insecure Renegotiation (CVE-2009-3555) · DROWN (CVE-2016-0800)


Skills

52 skills in .claude/skills/ (49 single-tool + 3 workflow playbooks). Each skill is an executable prompt (not documentation) with:

  • When to Use — trigger phrases that activate the skill
  • When NOT to Use — boundaries to avoid wrong tool selection
  • Instructions — step-by-step workflow with CLI/MCP tool calls
  • Anti-Patterns — common mistakes to avoid

Categories: Security Analysis (6) · Certificate Operations (8) · PKI (5) · CRL (2) · Cyberspace Mapping (13) · Protocol Analysis (4) · Compliance Checks (8) · Revocation & HSTS (2) · Chain Verification (1) · Workflows (3)

See CLAUDE.md for the full skill index and integration guide.

Build portable .skill archives:

make package-skills

Project Stats

Metric Count
Skills 52 (49 single-tool + 3 workflows)
CLI Commands 52
MCP Tools 53
Cert Security Checks 18
TLS Vulnerability Scans 11
Go SDK Functions 50+ (7 offline)
Supported Platforms 9
Docker Image ghcr.io/cyberspacesec/certificate-skills

Documentation

License

MIT License

About

AI-native certificate security toolkit — Skills, CLI, MCP server & Go SDK for SSL/TLS analysis, cyberspace mapping and PKI operations

Topics

Resources

License

Stars

0 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors

Languages