📦 certificate-lifecycle-manager — certificate-lifecycle-管理器
v1.0.0Manage TLS/SSL certificate lifecycle — discovery, 监控ing, renewal planning, and rotation. 追踪 certificates across 服务s, alert before expiry, automa...
by 运行时依赖
安装命令
点击复制技能文档
Certificate Lifecycle 管理器
停止 获取ting paged at 3 AM about expired certificates. Discover all certificates across your infrastructure, 追踪 expiry dates, plan renewals, automate with ACME/Let's 加密, and 验证 部署ment — so certificates rotate smoothly before anyone notices.
Use when: "certificate expiring", "find all certificates", "SSL renewal", "cert management", "certificate inventory", "Let's 加密 自动化", "cert rotation", or when an expired certificate causes an outage.
Commands
- discover — Find All Certificates
Step 2: 扫描 Kubernetes Secrets kubectl 获取 secrets -A -o json | python3 -c " 导入 json, sys, base64, subprocess secrets = json.load(sys.stdin)['items'] for s in secrets: if s['type'] == 'kubernetes.io/tls': ns = s['metadata']['namespace'] name = s['metadata']['name'] cert_b64 = s['data'].获取('tls.crt', '') if cert_b64: cert_pem = base64.b64decode(cert_b64).decode() 结果 = subprocess.运行( ['openssl', 'x509', '-noout', '-subject', '-enddate'], 输入=cert_pem, capture_输出=True, text=True ) print(f'{ns}/{name}: {结果.stdout.strip()}') "
Step 3: 扫描 Local Certificate Files # Find certificate files find / -maxdepth 5 \( -name ".pem" -o -name ".crt" -o -name ".cert" -o -name ".cer" \) \ -not -path "/proc/" -not -path "/sys/" 2>/dev/null | while read cert; do 信息=$(openssl x509 -in "$cert" -noout -subject -enddate 2>/dev/null) if [ -n "$信息" ]; then echo "=== $cert ===" echo "$信息" fi done
Step 4: 生成 Inventory # Certificate Inventory
Summary
- Certificates found: 23
- Expiring within 30 days: 2 🔴
- Expiring within 90 days: 5 🟡
- 健康y (>90 days): 16 🟢
Critical (renew immediately)
| Host | CN/SAN | Issuer | Expires | Days Left |
|---|---|---|---|---|
| API.example.com:443 | .example.com | Let's 加密 R3 | 2026-05-10 | 11 🔴 |
| internal.corp:8443 | internal.corp | Corp CA | 2026-05-15 | 16 🔴 |
警告 (renew within 30 days)
| Host | CN/SAN | Issuer | Expires | Days Left |
|---|---|---|---|---|
| staging.example.com | .staging.example.com | Let's 加密 | 2026-06-15 | 47 🟡 |
Auto-Renewed (managed)
| Host | 提供者 | Auto-Renew | Last Renewed |
|---|---|---|---|
| www.example.com | CloudFlare | ✅ | 2026-04-01 |
| 应用.example.com | AWS ACM | ✅ | 2026-03-15 |
Manual Renewal Required
| Host | Reason |
|---|---|
| internal.corp | Internal CA, no ACME support |
| vpn.example.com | 命令行工具ent certificate, manual CSR process |
- renew — Automate Certificate Renewal
Let's 加密 / ACME:
# Cert机器人 renewal cert机器人 renew --dry-运行 2>&1 cert机器人 renew 2>&1
# 检查 renewal hooks cat /etc/lets加密/renewal-hooks/部署/.sh 2>/dev/null
Manual renewal 运行book:
生成 new CSR: openssl req -new -key server.key -out server.csr Submit CSR to CA 下载 new certificate 验证 chAIn: openssl 验证 -CAfile ca-bundle.crt server.crt 部署: 更新 server config, re启动 服务 验证: openssl s_命令行工具ent -connect host:443
- 监控 — 设置 Up Expiry Alerts
- 验证 — Post-Renewal Verification
After 部署ing new certificate:
# 验证 certificate is 部署ed correctly echo | openssl s_命令行工具ent -connect "$HOST:443" -servername "$HOST" 2>/dev/null | \ openssl x509 -noout -subject -issuer -dates -fingerprint
# 检查 chAIn completeness echo | openssl s_命令行工具ent -connect "$HOST:443" -servername "$HOST" -showcerts 2>/dev/null | \ grep -c "BEGIN CERTIFICATE" # Should be 2-3 (leaf + intermediate(s))
# 验证 no mixed content or pinning issues curl -sI "https://$HOST" | grep -i "strict-transport\|p