- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA +
cybersecurity
cryptography
cryptography
pki
certificate-authority
openssl
x509
1.0
mahipal
Apache-2.0
PR.DS-01
PR.DS-02
PR.DS-10
T1649
T1553.004
T1557
T1587.003
Configuring Certificate Authority with OpenSSL
Overview
A Certificate Authority (CA) is the trust anchor in a PKI hierarchy, responsible for issuing, signing, and revoking digital certificates. This skill covers building a two-tier CA hierarchy (Root CA + Intermediate CA) using OpenSSL and the Python cryptography library, including CRL distribution, OCSP responder configuration, and certificate policy management.
When to Use
When deploying or configuring configuring certificate authority with openssl capabilities in your environment
When establishing security controls aligned to compliance requirements
When building or improving security architecture for this domain
When conducting security assessments that require this implementation
Prerequisites
Familiarity with cryptography concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities
Objectives
Create a Root CA with self-signed certificate
Create an Intermediate CA signed by the Root CA
Issue server and client certificates from the Intermediate CA
Configure Certificate Revocation Lists (CRLs)
Implement certificate policies and constraints
Build a complete PKI hierarchy programmatically
Key Concepts
CA Hierarchy
Root CA (offline, air-gapped)
|
+-- Intermediate CA (online, operational)
|
+-- Server Certificates
+-- Client Certificates
+-- Code Signing Certificates
Certificate Extensions
Extension
Purpose
Critical
basicConstraints
CA:TRUE/FALSE, pathLenConstraint
Yes
keyUsage
keyCertSign, cRLSign, digitalSignature
Yes
extendedKeyUsage
serverAuth, clientAuth, codeSigning
No
subjectKeyIdentifier
Hash of public key
No
authorityKeyIdentifier
Issuer's key identifier
No
crlDistributionPoints
URL to CRL
No
authorityInfoAccess
OCSP responder URL
No
Security Considerations
Root CA private key must be stored offline (air-gapped HSM)
Use minimum 4096-bit RSA or P-384 ECDSA for CA keys