aiwg/agentic/code/extensions/sec/templates/cert-lifecycle-record.yaml

Deployment tool and support utility for AI context. Copies agents, skills, commands, rules, and behaviors into the paths each AI platform reads (Claude Code, Codex, Copilot, Cursor, Warp, OpenClaw, and 6 more) so one source of truth works across 10 platfo

apiVersion: ops.aiwg.io/v1
kind: OpsTarget
metadata:
  name: "{cert-identifier}"
  labels:
    domain: security-operations
    type: cert-lifecycle-record
    environment: "{production|staging|dev}"
    criticality: "{critical|high|medium|low}"
spec:
  # Subject Information
  subject:
    common_name: "{hostname.example.com}"
    organization: "{Organization Name}"
    organizational_unit: "{Ops|Engineering|Security}"
    country: "{CC}"
    san:
      dns:
        - "{hostname.example.com}"
        - "{alias.example.com}"
      ip:
        - "{192.168.1.10}"
      email: []                            # for S/MIME certs

  # Certificate Identity
  serial: "{hex-serial-number}"
  fingerprint_sha256: "{sha256-fingerprint}"
  issuer: "{Org Issuing CA — Purpose}"
  issuing_ca_fingerprint: "{sha256-fingerprint-of-issuing-ca}"

  # Validity
  not_before: "{YYYY-MM-DD}"
  not_after: "{YYYY-MM-DD}"
  validity_days: 0                         # compute from not_before → not_after
  days_remaining: 0                        # compute from today → not_after

  # Key Material
  key_algorithm: "{EC|RSA}"
  key_size: "{384|4096}"                   # bits for RSA, curve size for EC
  key_curve: "{P-384}"                     # EC only
  signature_algorithm: "sha384WithRSAEncryption"

  # Deployment
  hosts:
    - hostname: "{hostname.example.com}"
      service: "{nginx|apache|postgres|custom}"
      port: 443
      cert_path: "{/etc/ssl/certs/hostname.pem}"
      key_path: "{/etc/ssl/private/hostname.key}"
      chain_path: "{/etc/ssl/certs/hostname-chain.pem}"
      last_deployed: "{YYYY-MM-DD}"
      deployment_method: "{ansible|manual|cert-manager|certbot}"

  # Renewal
  renewal_procedure: "{auto|manual}"
  renewal_automation:
    enabled: false
    tool: "{certbot|cert-manager|acme.sh|custom}"
    trigger_days_before_expiry: 30
    notification_channel: "{ops-alerts|email|pagerduty}"
  renewal_trigger_days: 30                 # flag for renewal this many days before expiry
  last_renewed: "{YYYY-MM-DD}"
  renewal_procedure_ref: "{path/to/ca-operations-runbook.md}"
  renewal_history:
    - date: "{YYYY-MM-DD}"
      renewed_by: "{operator}"
      previous_serial: "{old-serial}"
      notes: "{reason for renewal or routine expiry}"

  # Storage
  storage:
    type: "{file|hsm|k8s-secret|vault}"
    location: "{/etc/ssl/private/ | HSM slot {N} | k8s: {namespace}/{secret-name} | vault: {path}}"
    encrypted_at_rest: true
    backup_location: "{path or 'none'}"
    access_control: "{description of who/what can read this cert and key}"

  # Revocation
  revocation_status: "{valid|revoked|suspended}"
  revoked_date: null                       # YYYY-MM-DD if revoked
  revocation_reason: null                  # keyCompromise|caCompromise|affiliationChanged|superseded|cessationOfOperation
  crl_distribution_point: "{http://pki.example.com/issuing-purpose.crl}"
  ocsp_responder: "{http://ocsp.example.com/issuing-purpose}"

  # Audit
  issued_by: "{operator or automation}"
  issued_date: "{YYYY-MM-DD}"
  approved_by: "{operator}"
  purpose: "{description of what this certificate is used for}"
  compliance_frameworks:
    - "{PCI-DSS|SOC2|ISO27001|HIPAA|none}"
  notes: "{Any additional context about this certificate}"