MCP HubMCP Hub
Back to Skills

PKI and X.509

oriolrius
Updated Today
14 views
1
1
1
View on GitHub
Metadesign

About

This Claude Skill provides expert guidance on PKI and X.509 certificate management for developers working with digital security. It covers certificate structure, CSR generation, certificate signing, revocation (CRL/OCSP), and OpenSSL commands. Use this skill when implementing certificate authorities, managing cryptographic keys, or handling any X.509-related operations.

Documentation

PKI and X.509 Certificates

Expert assistance with Public Key Infrastructure and X.509 certificate management.

Overview

PKI provides secure digital certificate management:

  • X.509: Standard format for public key certificates
  • Certificate Authority (CA): Issues and signs certificates
  • Certificate Signing Request (CSR): Request for certificate issuance
  • Certificate Revocation: CRL and OCSP protocols
  • Key Management: Secure generation and storage

X.509 Certificate Structure

Certificate Components

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4096 (0x1000)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Example CA, O=Example Org, C=US
        Validity
            Not Before: Jan  1 00:00:00 2024 GMT
            Not After : Jan  1 00:00:00 2025 GMT
        Subject: CN=example.com, O=Example Org, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Alternative Name:
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption

Distinguished Name (DN)

Components:
- CN (Common Name): example.com
- O (Organization): Example Organization
- OU (Organizational Unit): IT Department
- L (Locality): San Francisco
- ST (State): California
- C (Country): US
- EMAIL: [email protected]

OpenSSL Commands

Generate Private Keys

# RSA 2048-bit
openssl genrsa -out private.key 2048

# RSA 4096-bit (more secure)
openssl genrsa -out private.key 4096

# Encrypted private key
openssl genrsa -aes256 -out private.key 4096

# ECDSA P-256
openssl ecparam -name prime256v1 -genkey -out private.key

# ECDSA P-384 (more secure)
openssl ecparam -name secp384r1 -genkey -out private.key

Generate Certificate Signing Request (CSR)

# Generate CSR from private key
openssl req -new -key private.key -out request.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Example/CN=example.com"

# Generate key and CSR together
openssl req -new -newkey rsa:4096 -nodes \
  -keyout private.key -out request.csr \
  -subj "/CN=example.com/O=Example Org/C=US"

# CSR with Subject Alternative Names (SAN)
openssl req -new -key private.key -out request.csr \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com,IP:192.168.1.1"

View CSR

# Display CSR details
openssl req -in request.csr -text -noout

# Verify CSR signature
openssl req -in request.csr -verify -noout

Self-Signed Certificates

# Generate self-signed certificate (1 year)
openssl req -x509 -new -key private.key -out cert.pem -days 365 \
  -subj "/CN=example.com/O=Example/C=US"

# Self-signed with SAN
openssl req -x509 -new -key private.key -out cert.pem -days 365 \
  -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:*.example.com"

# Generate key and self-signed cert together
openssl req -x509 -newkey rsa:4096 -nodes \
  -keyout private.key -out cert.pem -days 365 \
  -subj "/CN=Root CA/O=Example/C=US"

Certificate Authority Operations

# Create CA directory structure
mkdir -p ca/{certs,crl,newcerts,private}
touch ca/index.txt
echo 1000 > ca/serial

# Generate CA private key
openssl genrsa -aes256 -out ca/private/ca.key 4096

# Generate CA certificate
openssl req -x509 -new -key ca/private/ca.key \
  -out ca/certs/ca.crt -days 3650 \
  -subj "/CN=Example CA/O=Example/C=US"

# Sign CSR with CA
openssl ca -config openssl.cnf \
  -in request.csr \
  -out signed.crt \
  -days 365

# Or use x509 for simpler signing
openssl x509 -req -in request.csr \
  -CA ca/certs/ca.crt -CAkey ca/private/ca.key \
  -CAcreateserial -out signed.crt -days 365 \
  -extfile <(printf "subjectAltName=DNS:example.com")

View and Verify Certificates

# View certificate
openssl x509 -in cert.pem -text -noout

# View certificate dates
openssl x509 -in cert.pem -noout -dates

# View certificate subject
openssl x509 -in cert.pem -noout -subject

# View certificate issuer
openssl x509 -in cert.pem -noout -issuer

# Verify certificate against CA
openssl verify -CAfile ca.crt cert.pem

# Verify certificate chain
openssl verify -CAfile ca.crt -untrusted intermediate.crt cert.pem

Convert Certificate Formats

# PEM to DER
openssl x509 -in cert.pem -out cert.der -outform DER

# DER to PEM
openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

# PEM to PKCS#12 (.p12, .pfx)
openssl pkcs12 -export -out cert.p12 \
  -inkey private.key -in cert.pem -certfile ca.crt

# PKCS#12 to PEM
openssl pkcs12 -in cert.p12 -out cert.pem -nodes

Certificate Extensions

Key Usage

digitalSignature    - Digital signatures
nonRepudiation      - Non-repudiation
keyEncipherment     - Encrypt symmetric keys
dataEncipherment    - Encrypt data directly
keyAgreement        - Key agreement (DH/ECDH)
keyCertSign         - Sign certificates (CA only)
cRLSign             - Sign CRLs (CA only)

Extended Key Usage (EKU)

serverAuth          - TLS server authentication
clientAuth          - TLS client authentication
codeSigning         - Code signing
emailProtection     - S/MIME email protection
timeStamping        - Trusted time stamping
OCSPSigning         - OCSP response signing

Subject Alternative Names (SAN)

DNS:example.com                 - Domain name
DNS:*.example.com               - Wildcard domain
IP:192.168.1.1                  - IP address
email:[email protected]         - Email address
URI:https://example.com         - URI

Certificate Revocation

Certificate Revocation List (CRL)

# Generate CRL
openssl ca -config openssl.cnf -gencrl -out crl.pem

# View CRL
openssl crl -in crl.pem -text -noout

# Revoke certificate
openssl ca -config openssl.cnf -revoke cert.pem \
  -crl_reason keyCompromise

# Verify certificate against CRL
openssl verify -crl_check -CRLfile crl.pem -CAfile ca.crt cert.pem

Revocation Reasons

unspecified             - No specific reason
keyCompromise           - Private key compromised
caCompromise            - CA key compromised
affiliationChanged      - Subject affiliation changed
superseded              - Certificate replaced
cessationOfOperation    - No longer needed
certificateHold         - Temporary suspension
removeFromCRL          - Remove from CRL
privilegeWithdrawn      - Privileges removed
aACompromise            - Attribute authority compromised

Certificate Hierarchy

Root CA

interface RootCA {
  subject: DistinguishedName;
  keyPair: KeyPair;
  certificate: X509Certificate;
  validity: {
    notBefore: Date;
    notAfter: Date; // Typically 10-20 years
  };
  keyUsage: ['keyCertSign', 'cRLSign'];
  basicConstraints: {
    cA: true;
    pathLenConstraint: undefined; // No limit
  };
}

Intermediate CA

interface IntermediateCA {
  subject: DistinguishedName;
  issuer: DistinguishedName; // Root CA
  keyPair: KeyPair;
  certificate: X509Certificate;
  validity: {
    notBefore: Date;
    notAfter: Date; // Shorter than root, typically 5-10 years
  };
  keyUsage: ['keyCertSign', 'cRLSign', 'digitalSignature'];
  basicConstraints: {
    cA: true;
    pathLenConstraint: 0; // Can only sign end-entity certs
  };
}

End-Entity Certificate

interface EndEntityCertificate {
  subject: DistinguishedName;
  issuer: DistinguishedName; // Intermediate or Root CA
  keyPair: KeyPair;
  certificate: X509Certificate;
  validity: {
    notBefore: Date;
    notAfter: Date; // Typically 1-2 years
  };
  keyUsage: ['digitalSignature', 'keyEncipherment'];
  extendedKeyUsage: ['serverAuth', 'clientAuth'];
  subjectAlternativeName: {
    dns: string[];
    ip: string[];
  };
  basicConstraints: {
    cA: false;
  };
}

Node.js Integration

Generate CSR with Node Crypto

import { generateKeyPairSync, createSign } from 'crypto';
import { X509Certificate } from 'crypto';

// Generate key pair
const { publicKey, privateKey } = generateKeyPairSync('rsa', {
  modulusLength: 4096,
  publicKeyEncoding: {
    type: 'spki',
    format: 'pem',
  },
  privateKeyEncoding: {
    type: 'pkcs8',
    format: 'pem',
  },
});

// Parse X.509 certificate
const cert = new X509Certificate(certPem);
console.log(cert.subject);
console.log(cert.issuer);
console.log(cert.validFrom);
console.log(cert.validTo);
console.log(cert.fingerprint256);

Best Practices

  1. Key Size: Use RSA 4096-bit or ECDSA P-384 for CAs
  2. Validity Period: Root CA (10-20 years), Intermediate (5-10 years), End-entity (1-2 years)
  3. Key Storage: Store CA private keys in HSM or KMS
  4. Certificate Chain: Always verify complete chain of trust
  5. Revocation: Implement CRL and/or OCSP for revocation checking
  6. SAN over CN: Use Subject Alternative Names instead of Common Name
  7. Strong Algorithms: Use SHA-256 or better (avoid SHA-1, MD5)
  8. Key Usage: Set appropriate key usage and extended key usage
  9. Path Length: Limit path length in CA certificates
  10. Audit Trail: Log all certificate operations

Common Operations

Verify Certificate Chain

# Create chain file (cert + intermediate + root)
cat cert.pem intermediate.pem root.pem > chain.pem

# Verify chain
openssl verify -CAfile root.pem -untrusted intermediate.pem cert.pem

Extract Public Key

# From certificate
openssl x509 -in cert.pem -pubkey -noout > public.key

# From private key
openssl rsa -in private.key -pubout -out public.key

Check Certificate-Key Match

# Compare modulus
openssl x509 -in cert.pem -noout -modulus | openssl md5
openssl rsa -in private.key -noout -modulus | openssl md5
# Should match!

Resources

Quick Install

/plugin add https://github.com/oriolrius/pki-manager-web/tree/main/pki-x509

Copy and paste this command in Claude Code to install this skill

GitHub 仓库

oriolrius/pki-manager-web
Path: .claude/skills/pki-x509
certificate-authoritycertificate-managementcosmianfastifykmspki

Related Skills

langchain

Meta

LangChain is a framework for building LLM applications using agents, chains, and RAG pipelines. It supports multiple LLM providers, offers 500+ integrations, and includes features like tool calling and memory management. Use it for rapid prototyping and deploying production systems like chatbots, autonomous agents, and question-answering services.

View skill

webapp-testing

Testing

This Claude Skill provides a Playwright-based toolkit for testing local web applications through Python scripts. It enables frontend verification, UI debugging, screenshot capture, and log viewing while managing server lifecycles. Use it for browser automation tasks but run scripts directly rather than reading their source code to avoid context pollution.

View skill

business-rule-documentation

Meta

This skill provides standardized templates for systematically documenting business logic and domain knowledge following Domain-Driven Design principles. It helps developers capture business rules, process flows, decision trees, and terminology glossaries to maintain consistency between requirements and implementation. Use it when documenting domain models, creating business rule repositories, or bridging communication between business and technical teams.

View skill

Algorithmic Art Generation

Meta

This skill helps developers create algorithmic art using p5.js, focusing on generative art, computational aesthetics, and interactive visualizations. It automatically activates for topics like "generative art" or "p5.js visualization" and guides you through creating unique algorithms with features like seeded randomness, flow fields, and particle systems. Use it when you need to build reproducible, code-driven artistic patterns.

View skill