SSL/TLS · Capability

SSL/TLS Certificate Lifecycle

Unified workflow capability for SSL/TLS certificate lifecycle management. Enables security and infrastructure teams to request, monitor, renew, and revoke TLS certificates across domains. Combines certificate issuance, automated renewal workflows, expiry monitoring, and domain verification into a single operational interface.

Run with Naftiko SSL/TLSCertificate ManagementPKIHTTPSSecurityCertificate Authority

What You Can Do

GET
List certificates — List certificates with optional status and domain filtering
/v1/certificates
POST
Request certificate — Request a new SSL/TLS certificate for domain validation
/v1/certificates
GET
Get certificate — Get certificate details and PEM data
/v1/certificates/{certificateId}
GET
Download certificate — Download certificate in PEM or PKCS12 format
/v1/certificates/{certificateId}/download
POST
Renew certificate — Initiate certificate renewal
/v1/certificates/{certificateId}/renew
POST
Revoke certificate — Revoke a certificate with reason code
/v1/certificates/{certificateId}/revoke
GET
List orders — List certificate orders
/v1/orders
GET
Get order — Get order details with challenge status
/v1/orders/{orderId}
GET
List domains — List domains and validation status
/v1/domains
GET
Get expiring certificates — Get certificates expiring within N days
/v1/monitoring/expiring

MCP Tools

list-certificates

List SSL/TLS certificates with optional status, domain, and expiry filtering

read-only idempotent
get-certificate

Get SSL/TLS certificate details including PEM, chain, and metadata

read-only idempotent
request-certificate

Request a new SSL/TLS certificate for one or more domains

download-certificate

Download SSL/TLS certificate in PEM or PKCS12 format

read-only idempotent
renew-certificate

Initiate renewal for an existing SSL/TLS certificate

revoke-certificate

Revoke an SSL/TLS certificate with a reason code

idempotent
get-order

Get certificate order status including domain validation challenges

read-only idempotent
list-domains

List domains and their certificate validation status

read-only idempotent
get-expiring-certificates

Get SSL/TLS certificates expiring within the next N days for proactive renewal

read-only idempotent

APIs Used

ssl-tls-cert-mgmt

Capability Spec

certificate-lifecycle.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "SSL/TLS Certificate Lifecycle"
  description: >-
    Unified workflow capability for SSL/TLS certificate lifecycle management.
    Enables security and infrastructure teams to request, monitor, renew, and
    revoke TLS certificates across domains. Combines certificate issuance,
    automated renewal workflows, expiry monitoring, and domain verification
    into a single operational interface.
  tags:
    - SSL/TLS
    - Certificate Management
    - PKI
    - HTTPS
    - Security
    - Certificate Authority
  created: "2026-05-02"
  modified: "2026-05-02"

binds:
  - namespace: env
    keys:
      CERT_MANAGER_API_KEY: CERT_MANAGER_API_KEY

capability:
  consumes:
    - import: ssl-tls-cert-mgmt
      location: ./shared/certificate-management.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: ssl-tls-cert-lifecycle-api
      description: "Unified REST API for SSL/TLS certificate lifecycle management."
      resources:
        - path: /v1/certificates
          name: certificates
          description: "Certificate management"
          operations:
            - method: GET
              name: list-certificates
              description: "List certificates with optional status and domain filtering"
              call: "ssl-tls-cert-mgmt.list-certificates"
              with:
                status: "rest.status"
                domain: "rest.domain"
                expiringBefore: "rest.expiringBefore"
              outputParameters:
                - type: object
                  mapping: "$."
            - method: POST
              name: request-certificate
              description: "Request a new SSL/TLS certificate for domain validation"
              call: "ssl-tls-cert-mgmt.request-certificate"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/certificates/{certificateId}
          name: certificate-detail
          description: "Certificate details"
          operations:
            - method: GET
              name: get-certificate
              description: "Get certificate details and PEM data"
              call: "ssl-tls-cert-mgmt.get-certificate"
              with:
                certificateId: "rest.certificateId"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/certificates/{certificateId}/download
          name: certificate-download
          description: "Download certificate"
          operations:
            - method: GET
              name: download-certificate
              description: "Download certificate in PEM or PKCS12 format"
              call: "ssl-tls-cert-mgmt.download-certificate"
              with:
                certificateId: "rest.certificateId"
                format: "rest.format"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/certificates/{certificateId}/renew
          name: certificate-renew
          description: "Certificate renewal"
          operations:
            - method: POST
              name: renew-certificate
              description: "Initiate certificate renewal"
              call: "ssl-tls-cert-mgmt.renew-certificate"
              with:
                certificateId: "rest.certificateId"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/certificates/{certificateId}/revoke
          name: certificate-revoke
          description: "Certificate revocation"
          operations:
            - method: POST
              name: revoke-certificate
              description: "Revoke a certificate with reason code"
              call: "ssl-tls-cert-mgmt.revoke-certificate"
              with:
                certificateId: "rest.certificateId"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/orders
          name: orders
          description: "Certificate orders"
          operations:
            - method: GET
              name: list-orders
              description: "List certificate orders"
              call: "ssl-tls-cert-mgmt.list-orders"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/orders/{orderId}
          name: order-detail
          description: "Order details and challenges"
          operations:
            - method: GET
              name: get-order
              description: "Get order details with challenge status"
              call: "ssl-tls-cert-mgmt.get-order"
              with:
                orderId: "rest.orderId"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/domains
          name: domains
          description: "Domain validation status"
          operations:
            - method: GET
              name: list-domains
              description: "List domains and validation status"
              call: "ssl-tls-cert-mgmt.list-domains"
              outputParameters:
                - type: object
                  mapping: "$."
        - path: /v1/monitoring/expiring
          name: expiring-certificates
          description: "Expiry monitoring"
          operations:
            - method: GET
              name: get-expiring-certificates
              description: "Get certificates expiring within N days"
              call: "ssl-tls-cert-mgmt.get-expiring-certificates"
              with:
                days: "rest.days"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: ssl-tls-cert-lifecycle-mcp
      transport: http
      description: "MCP server for AI-assisted SSL/TLS certificate lifecycle management."
      tools:
        - name: list-certificates
          description: "List SSL/TLS certificates with optional status, domain, and expiry filtering"
          hints:
            readOnly: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.list-certificates"
          with:
            status: "tools.status"
            domain: "tools.domain"
            expiringBefore: "tools.expiringBefore"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-certificate
          description: "Get SSL/TLS certificate details including PEM, chain, and metadata"
          hints:
            readOnly: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.get-certificate"
          with:
            certificateId: "tools.certificateId"
          outputParameters:
            - type: object
              mapping: "$."
        - name: request-certificate
          description: "Request a new SSL/TLS certificate for one or more domains"
          hints:
            readOnly: false
            idempotent: false
          call: "ssl-tls-cert-mgmt.request-certificate"
          outputParameters:
            - type: object
              mapping: "$."
        - name: download-certificate
          description: "Download SSL/TLS certificate in PEM or PKCS12 format"
          hints:
            readOnly: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.download-certificate"
          with:
            certificateId: "tools.certificateId"
            format: "tools.format"
          outputParameters:
            - type: object
              mapping: "$."
        - name: renew-certificate
          description: "Initiate renewal for an existing SSL/TLS certificate"
          hints:
            readOnly: false
            idempotent: false
          call: "ssl-tls-cert-mgmt.renew-certificate"
          with:
            certificateId: "tools.certificateId"
          outputParameters:
            - type: object
              mapping: "$."
        - name: revoke-certificate
          description: "Revoke an SSL/TLS certificate with a reason code"
          hints:
            readOnly: false
            destructive: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.revoke-certificate"
          with:
            certificateId: "tools.certificateId"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-order
          description: "Get certificate order status including domain validation challenges"
          hints:
            readOnly: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.get-order"
          with:
            orderId: "tools.orderId"
          outputParameters:
            - type: object
              mapping: "$."
        - name: list-domains
          description: "List domains and their certificate validation status"
          hints:
            readOnly: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.list-domains"
          outputParameters:
            - type: object
              mapping: "$."
        - name: get-expiring-certificates
          description: "Get SSL/TLS certificates expiring within the next N days for proactive renewal"
          hints:
            readOnly: true
            idempotent: true
          call: "ssl-tls-cert-mgmt.get-expiring-certificates"
          with:
            days: "tools.days"
          outputParameters:
            - type: object
              mapping: "$."