AI-Native Certificate Security Toolkit — Skills · CLI · MCP · Go SDK
A comprehensive SSL/TLS certificate security toolkit designed for AI agents, security researchers, and cyberspace mapping. Four integration modes: Skills (49 executable prompts + 3 workflows), CLI (52 commands), MCP Server (53 tools), Go SDK (50+ functions).
English | 简体中文
If you are an AI agent reading this to decide which tool to use: install Skills + MCP together. Skills tell you when and which tool; MCP executes it. This combo is the recommended integration path.
| Your goal | Use |
|---|---|
| I'm an AI agent in Claude Code / Cursor and want auto-triggered tool selection | Skills (copy .claude/skills/) |
| I'm an AI agent with MCP support and want direct tool calls | MCP Server (cert-skills-mcp) |
| Best: I want the agent to pick the right tool AND execute it | Skills + MCP |
| I'm a human or script running one-off checks | CLI (cert-skills) |
| I'm embedding cert analysis in a Go program | Go SDK (pkg) |
# 1. CLI + MCP server binary
curl -sL https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_linux_x86_64.tar.gz | tar xz
sudo mv cert-skills cert-skills-mcp /usr/local/bin/
# 2. Skills — copy into your project so your AI agent auto-discovers them
git clone https://github.com/cyberspacesec/certificate-skills.git
cp -r certificate-skills/.claude/skills/ /your/project/.claude/skills/{
"mcpServers": {
"certificate-skills": {
"command": "cert-skills-mcp",
"args": []
}
}
}Skills provide the prompt intelligence; MCP provides the tool execution. Together they let the agent reason about when to run a cert check and then run it without a round-trip to the shell.
| Task | CLI command | MCP tool | Skill |
|---|---|---|---|
| Score a site's TLS security 0-100 | analyze <domain> |
cert_analyze_security |
certificate-analysis |
| 18 cert-level security checks | scan-cert-security <domain> |
cert_scan_cert_security |
cert-security-scanner |
| 11 TLS vulnerability scans (Heartbleed…) | scan-vulns <domain> |
cert_scan_vulnerabilities |
tls-vulnerability-scanner |
| Get cert info / fingerprints | info / fingerprint |
cert_info / cert_fingerprint |
certificate-info / certificate-fingerprint |
Parse a local .pem/.crt/.der |
parse <file> |
cert_parse |
certificate-parse |
| Compare two certs | compare -1 a -2 b |
cert_compare |
certificate-compare |
| Convert PEM↔DER, PKCS12, P7B, chain | convert <sub> |
— | — |
| Generate self-signed cert / CSR | generate / generate-csr |
cert_generate / cert_generate_csr |
certificate-generator / certificate-csr |
| Sign leaf cert with a CA | sign-cert |
cert_sign_certificate |
ca-signer |
| Build multi-tier PKI | generate-intermediate-ca |
cert_generate_intermediate_ca |
intermediate-ca-generator |
| Generate / parse CRL | generate-crl / parse-crl |
— | crl-generator / crl-parser |
| Check revocation (OCSP/CRL) | check-revocation |
cert_check_revocation |
certificate-revocation |
| Check distrusted CA | check-distrusted-ca |
cert_check_distrusted_ca |
distrusted-ca-checker |
| Check OCSP Must-Staple / key usage / serial entropy / SCT / CAA / HSTS | check-* |
cert_check_* |
see Compliance section |
| Search CT logs / enumerate subdomains | search-ct / ct-enumerate |
cert_search_ct / cert_ct_enumerate |
certificate-transparency / ct-subdomain-enumerator |
| JARM / JA3 fingerprinting | jarm / ja3 |
cert_jarm / cert_ja3 |
jarm-fingerprint / ja3-fingerprint |
| Match fingerprints vs known services | match-fp / fp-db |
cert_match_fingerprints / cert_fingerprint_db_* |
fingerprint-db |
| Batch collect certs (hosts/CIDR) | map-scan |
cert_map_scan |
map-scan |
| Offline mapping analysis | map-parse |
cert_map_parse |
map-parse |
| Lifecycle timeline | map-timeline |
cert_map_timeline |
map-timeline |
| Detect cert change / rotation | detect-change |
cert_detect_change |
certificate-change-detection |
| EV detection / wildcard / hostname / chain | detect-ev / check-wildcard / verify-hostname / verify-chain |
cert_* |
ev-detector / wildcard-checker / hostname-verifier / chain-verifier |
Every CLI command supports
-o jsonfor machine-readable output. Batch commands (batch-analyze,expiry-monitor,map-scan) also support-o csv.
Three progressive-disclosure workflow skills compose multiple commands into end-to-end procedures:
workflow-multi-tier-pki— Root CA → Intermediate CA → leaf cert → CRL revocation → chain verificationworkflow-cyberspace-mapping-sweep— Batch collect (map-scan) → fingerprint + match (jarm/ja3/match-fp) → track rotation (detect-change/map-timeline)workflow-incident-response-cert-forensics— Triage suspicious cert: identify → attribute via fingerprints → check trust → trace CT history
Download from GitHub Releases:
# Linux x86_64
curl -sL https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_linux_x86_64.tar.gz | tar xz && sudo mv cert-skills cert-skills-mcp /usr/local/bin/
# macOS Apple Silicon
curl -sL https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_darwin_aarch64.tar.gz | tar xz && sudo mv cert-skills cert-skills-mcp /usr/local/bin/
# Windows (PowerShell)
Invoke-WebRequest -Uri "https://github.com/cyberspacesec/certificate-skills/releases/latest/download/certificate-skills_0.2.0_windows_x86_64.zip" -OutFile "cert-skills.zip"; Expand-Archive cert-skills.zip9 platforms: Linux (x86_64, ARM64, ARM v7, i386), macOS (Apple Silicon, Intel), Windows (x86_64, i386), FreeBSD (x86_64). Two binaries per platform: cert-skills (CLI) and cert-skills-mcp (MCP server).
docker pull ghcr.io/cyberspacesec/certificate-skills:latest
docker run --rm ghcr.io/cyberspacesec/certificate-skills:latest analyze google.comgit clone https://github.com/cyberspacesec/certificate-skills.git
cd certificate-skills
go build -trimpath -ldflags "-s -w" -o cert-skills ./cmd/
go build -trimpath -ldflags "-s -w" -o cert-skills-mcp ./cmd/mcp/go get github.com/cyberspacesec/certificate-skills/pkgimport pkg "github.com/cyberspacesec/certificate-skills/pkg"
result, err := pkg.AnalyzeSecurity("google.com") // Security score 0-100
certResult, err := pkg.ScanCertSecurity("google.com") // 18 cert checks
vulnResult, err := pkg.VulnerabilityScan("google.com") // 11 vuln scans
jarmResult, err := pkg.JARMScan("google.com") // JARM fingerprint
ctResult, err := pkg.CTSearch("example.com") // CT log search
revResult, err := pkg.CheckRevocation("example.com") // OCSP/CRL revocationcert, _ := pkg.GetCertFromFile("cert.pem")
keyUsage := pkg.CheckKeyUsageFromCert(cert) // Key usage compliance
policy := pkg.CheckPolicyFromCert(cert) // Policy OIDs (DV/OV/EV)
security, _ := pkg.ScanCertSecurityFromChain(cert, host, nil) // 18 cert checks
distrusted := pkg.CheckDistrustedCAFromCert(chain) // Distrusted CA
constraints := pkg.CheckNameConstraintsFromCert(chain) // Name constraintsimport "errors"
result, err := pkg.AnalyzeSecurity("unreachable.example.com")
if errors.Is(err, pkg.ErrConnectionFailed) { /* connection failure */ }
if errors.Is(err, pkg.ErrDNSResolution) { /* DNS failure */ }
if errors.Is(err, pkg.ErrCertParseFailed) { /* parse error */ }| Code | Check | Severity |
|---|---|---|
| CERT-001 | Weak Signature Algorithm | High |
| CERT-002 | Short RSA Key (<2048) | High |
| CERT-003 | Weak ECDSA Curve | Medium |
| CERT-004 | Missing SAN Extension | High |
| CERT-005 | Hostname Mismatch | Critical |
| CERT-006 | Excessive Validity | Medium |
| CERT-007 | Self-Signed Certificate | Medium |
| CERT-008 | Certificate Expired | Critical |
| CERT-009 | Certificate Expiring Soon | High |
| CERT-010 | CN Not in SANs | Low |
| CERT-011 | Wildcard Certificate Risk | Low |
| CERT-012 | Internal Name | High |
| CERT-013 | Untrusted Chain | High |
| CERT-014 | Distrusted CA | Critical |
| CERT-015 | OCSP Must-Staple Violation | High |
| CERT-016 | Key Usage Non-Compliance | High |
| CERT-017 | Low Serial Entropy | Medium |
| CERT-018 | Name Constraint Violation | High |
Heartbleed (CVE-2014-0160) · POODLE (CVE-2014-3566) · ROBOT (CVE-2017-17382) · CCS Injection (CVE-2014-0224) · FREAK (CVE-2015-0204) · Logjam (CVE-2015-4000) · Sweet32 (CVE-2016-2183) · BEAST (CVE-2011-3389) · CRIME (CVE-2012-4929) · Insecure Renegotiation (CVE-2009-3555) · DROWN (CVE-2016-0800)
52 skills in .claude/skills/ (49 single-tool + 3 workflow playbooks). Each skill is an executable prompt (not documentation) with:
- When to Use — trigger phrases that activate the skill
- When NOT to Use — boundaries to avoid wrong tool selection
- Instructions — step-by-step workflow with CLI/MCP tool calls
- Anti-Patterns — common mistakes to avoid
Categories: Security Analysis (6) · Certificate Operations (8) · PKI (5) · CRL (2) · Cyberspace Mapping (13) · Protocol Analysis (4) · Compliance Checks (8) · Revocation & HSTS (2) · Chain Verification (1) · Workflows (3)
See CLAUDE.md for the full skill index and integration guide.
Build portable .skill archives:
make package-skills| Metric | Count |
|---|---|
| Skills | 52 (49 single-tool + 3 workflows) |
| CLI Commands | 52 |
| MCP Tools | 53 |
| Cert Security Checks | 18 |
| TLS Vulnerability Scans | 11 |
| Go SDK Functions | 50+ (7 offline) |
| Supported Platforms | 9 |
| Docker Image | ghcr.io/cyberspacesec/certificate-skills |
- CLAUDE.md — Full AI agent integration guide with skill index
- Website — VitePress docs site
- Skills source — Executable prompt definitions
- Releases — Changelog & binaries