configuring-certificate-authority-with-openssl
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/configuring-certificate-authority-with-opensslBuild secure two-tier PKI hierarchies with OpenSSL and Python.
- Issue, sign, and revoke certificates for compliance-aligned security.
- Integrates OpenSSL and Python cryptography libraries for operations.
- Executes tasks based on deployment needs and assessment requirements.
- Delivers self-signed certificates and CRL/OCSP configurations.
SKILL.md
.github/skills/configuring-certificate-authority-with-opensslView on GitHub ↗
---
name: configuring-certificate-authority-with-openssl
description: A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA +
domain: cybersecurity
subdomain: cryptography
tags: [cryptography, pki, certificate-authority, openssl, x509]
version: "1.0"
author: mahipal
license: Apache-2.0
---
# Configuring Certificate Authority with OpenSSL
## Overview
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + Intermediate CA) using OpenSSL and the Python cryptography library, including CRL distribution, OCSP responder configuration, and certificate policy management.
## When to Use
- When deploying or configuring configuring certificate authority with openssl capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
## Prerequisites
- Familiarity with cryptography concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities
## Objectives
- Create a Root CA with self-signed certificate
- Create an Intermediate CA signed by the Root CA
- Issue server and client certificates from the Intermediate CA
- Configure Certificate Revocation Lists (CRLs)
- Implement certificate policies and constraints
- Build a complete PKI hierarchy programmatically
## Key Concepts
### CA Hierarchy
```
Root CA (offline, air-gapped)
|
+-- Intermediate CA (online, operational)
|
+-- Server Certificates
+-- Client Certificates
+-- Code Signing Certificates
```
### Certificate Extensions
| Extension | Purpose | Critical |
|-----------|---------|----------|
| basicConstraints | CA:TRUE/FALSE, pathLenConstraint | Yes |
| keyUsage | keyCertSign, cRLSign, digitalSignature | Yes |
| extendedKeyUsage | serverAuth, clientAuth, codeSigning | No |
| subjectKeyIdentifier | Hash of public key | No |
| authorityKeyIdentifier | Issuer's key identifier | No |
| crlDistributionPoints | URL to CRL | No |
| authorityInfoAccess | OCSP responder URL | No |
## Security Considerations
- Root CA private key must be stored offline (air-gapped HSM)
- Use minimum 4096-bit RSA or P-384 ECDSA for CA keys
- Set path length constraints on intermediate CAs
- Implement certificate policies (OIDs)
- Enable CRL and OCSP for revocation checking
- Audit all certificate issuance operations
## Validation Criteria
- [ ] Root CA self-signed certificate is valid
- [ ] Intermediate CA certificate chains to Root CA
- [ ] Issued certificates chain to Intermediate -> Root
- [ ] Path length constraints are enforced
- [ ] CRL is generated and accessible
- [ ] Revoked certificates appear in CRL
- [ ] Certificate policies are correctly embedded