detecting-ssl-cert-issues

Audit a target's TLS certificate beyond protocol/expiry — chain ordering, OCSP stapling, revocation status, Certificate Transparency presence, key-usage flags, and over-broad wildcards. Use when: TLS handshake already passes (skill #1 analyzing-tls-config cleared) but you suspect the cert posture is fragile. Auditors flag this during SOC2 readiness when a renewal slipped or an intermediate was rotated. Threshold: missing OCSP stapling on production, fewer than 2 SCTs in the cert, intermediate served out of order, key usage missing digitalSignature/keyEncipherment, revoked cert presented, or wildcard scope of 2-level (e.g., *.com is rejection; *.api.example.com is fine). Trigger with: "check cert revocation", "audit ocsp", "ct log check", "cert chain audit".

v3.0.0-dev
Jeremy Longshore
MIT
3 Tools
penetration-tester Plugin
security Category

Allowed Tools

ReadBash(python3:*)Bash(openssl:*)

Provided by Plugin

penetration-tester

Security testing toolkit with HTTP header analysis, dependency auditing, and static code scanning

security v2.0.0
View Plugin

Installation

This skill is included in the penetration-tester plugin:

/plugin install penetration-tester@claude-code-plugins-plus

Click to copy

Instructions

Detecting SSL Certificate Issues

Overview

This skill is the second-level cert audit, run after analyzing-tls-config

clears the protocol+cipher+expiry+hostname basics. It surfaces issues

that don't break the handshake today but make the cert fragile or open

to soft-bypass attacks: missing OCSP stapling forces clients to phone

home to the CA (privacy + latency hit), missing Certificate Transparency

SCTs are rejected by Chrome since 2018, an out-of-order chain confuses

older clients, and over-broad wildcards expand the blast radius of any

future key compromise.

When the skill produces findings

Finding Severity Threshold Affected control
Revoked certificate presented CRITICAL OCSP responder says "revoked" RFC 6960
Missing or invalid OCSP staple HIGH No status_request response on production RFC 6066, CA/B BR
Fewer than 2 SCTs embedded HIGH CT-policy violation (Chrome enforces) RFC 6962, CA/B Baseline Reqs
Intermediate served out of RFC 5246 order MEDIUM Server sends root before leaf RFC 5246 §7.4.2
AIA extension missing MEDIUM No CA Issuers / OCSP URL in cert RFC 5280 §4.2.2.1
Over-broad wildcard HIGH Scope of 2-level or wider (e.g., *.com) CA/B Baseline Reqs §3.2.2
Wildcard at apex SAN LOW *.example.com without example.com RFC 6125 §6.4.3
Key Usage missing digitalSignature MEDIUM KU bit absent for TLS server cert RFC 5280 §4.2.1.3
Cert chain longer than 4 LOW Performance + trust expansion CA/B Baseline Reqs

Prerequisites

  • Python 3.9+ with cryptography library
  • openssl CLI 1.1.1+ (for OCSP query + chain enumeration)
  • Authorization for non-local targets (see references/AUTHORIZATION.md

in skill #1 analyzing-tls-config for the canonical pattern)

Instructions

Step 1 — Confirm Authorization

Active scan; ask the user verbatim:

> "Do you have authorization to perform TLS testing on this target?

> I need confirmation before proceeding."

Step 2 — Run the scanner


python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
    https://target.example.com \
    --authorized

Options:


Usage: check_cert_chain.py URL [OPTIONS]

Options:
  --authorized       Attest authorization for non-local targets (required)
  --port PORT        Target port (default: 443)
  --output FILE      Write findings to FILE (default: stdout)
  --format FMT       json | jsonl | markdown (default: markdown)
  --min-severity SEV critical|high|medium|low|info (default: info)
  --timeout SECS     Per-probe timeout (default: 10)
  --skip-ocsp        Skip OCSP responder query (offline mode)

Step 3 — Interpret findings

CRITICAL/HIGH map to immediate action items; MEDIUM/LOW to backlog

hardening. Cross-reference references/PLAYBOOK.md for OCSP stapling

config snippets per server type.

Step 4 — Cross-skill chaining

  • After this skill, suggest checking-http-security-headers (#4) to

verify HSTS preload status — HSTS preload depends on a clean cert

chain to be effective.

  • For CI integration patterns, see references/PLAYBOOK.md § CI

posture-monitoring.

Examples

Example 1 — OCSP stapling audit before adopting must-staple

User: "We're considering Must-Staple — what's our OCSP stapling posture

look like across endpoints?"


for ENDPOINT in https://api.example.com https://app.example.com https://admin.example.com; do
  python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
      "$ENDPOINT" --authorized --min-severity medium
done

If any endpoint reports "Missing OCSP staple" HIGH, adopting Must-Staple

on that cert breaks it on next renewal until OCSP-stapling config

lands. Pair with references/PLAYBOOK.md § OCSP stapling for nginx /

Caddy / Apache config.

Example 2 — CT-log compliance check before public launch

User: "Pre-launch — does our cert have enough SCTs for Chrome to trust it?"


python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
    https://new-site.example.com --authorized

The scanner extracts embedded SCTs from the cert's CT extension. <2

SCTs → HIGH finding; Chrome's CT enforcement policy rejects the

connection silently in HTTPS, leaving users with a generic error.

Example 3 — Wildcard scope audit

User: "An auditor flagged our wildcard cert as too broad."


python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-ssl-cert-issues/scripts/check_cert_chain.py \
    https://example.com --authorized --format json | jq '.[] | select(.title | contains("wildcard"))'

The JSON output captures the wildcard scope; pair with the auditor's

request to either narrow the SAN list or move to per-service certs.

Output

JSON / JSONL / Markdown per lib/report.py. Exit codes: 0 clean, 1

high/critical, 2 error.

Error Handling

  • OCSP responder timeout → emitted as MEDIUM finding (not an error

exit) with note to investigate responder availability.

  • CT log lookup unavailable → falls back to embedded-SCT parsing

only; emits INFO note.

  • Untrusted cert → out of scope (skill #1 handles); this skill assumes

the chain validates and looks at deeper posture.

Resources

  • references/THEORY.md — OCSP, CT, AIA, chain ordering, wildcard

scope reasoning with RFC anchors

  • references/PLAYBOOK.md — OCSP stapling config per server type +

CT-log compliance + AIA extension correctness

  • ../analyzing-tls-config/references/AUTHORIZATION.md — canonical ROE

template + 2-step gate (shared across all active-scan skills)

Ready to use penetration-tester?

Related Skills

analyzing-dependencies

Analyze dependencies for known security vulnerabilities and outdated.

ReadWriteEdit

analyzing-security-headers

'Analyze HTTP security headers of web domains to identify vulnerabilities.

ReadWebFetchWebSearch

analyzing-tls-config

Analyze a target's TLS configuration — negotiated protocol version, cipher suite, certificate chain, expiry, and downgrade vectors.

ReadBash(python3:*)Bash(openssl:*)

assisting-with-soc2-audit-preparation

'Execute automate SOC 2 audit preparation including evidence gathering,.

ReadWriteEdit

auditing-access-control

Audit access control implementations for security vulnerabilities and.

ReadWriteEdit

auditing-cors-policy

Audit a target's CORS posture — Access-Control-Allow-Origin handling, reflected-origin bypass, credentials+wildcard mismatch, preflight OPTIONS behavior, Vary header correctness.

ReadBash(python3:*)Bash(curl:*)