Skills mtls-configuration
🔐

mtls-configuration

Safe 🌐 Network access⚙️ External commands

Configure mTLS for zero-trust networking

Secure service-to-service communication with mutual TLS authentication. This skill provides ready-to-use templates for Istio, Linkerd, SPIFFE, and cert-manager to implement zero-trust security in Kubernetes environments.

Supports: Claude Codex Code(CC)
📊 71 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "mtls-configuration". Enable strict mTLS for my Istio mesh in the production namespace

Expected outcome:

  • Created PeerAuthentication resource in istio-system namespace with STRICT mode
  • Applied mesh-wide mTLS requiring mutual authentication for all services
  • Added DestinationRule using ISTIO_MUTUAL mode for automatic certificate management
  • Note: Existing connections will be rejected until clients update their configurations
  • Use 'istioctl authn tls-check' to verify mTLS status after deployment

Using "mtls-configuration". Configure cert-manager for automatic workload certificates with 24-hour rotation

Expected outcome:

  • Created ClusterIssuer named 'istio-ca' for certificate signing
  • Generated Certificate resource with 24-hour duration and 8-hour renewBefore
  • Specified commonName and dnsNames for service identity
  • Configured server auth and client auth certificate usages
  • Secret 'my-service-tls' will be created automatically when Certificate is issued

Using "mtls-configuration". Set up SPIRE for workload identity in my Kubernetes cluster

Expected outcome:

  • Created ConfigMap for SPIRE Server with sqlite3 datastore
  • Configured k8s_psat node attestor with demo-cluster service account allow list
  • Set UpstreamAuthority plugin with disk-based bootstrap credentials
  • Generated DaemonSet for SPIRE Agent with socket volume mount
  • Trust domain configured as 'example.org'

Security Audit

Safe
v4 • 1/17/2026

This is a pure documentation skill containing YAML templates and guidance for mTLS configuration. All 58 static findings are false positives triggered by markdown documentation patterns (backticks for inline code), file paths in example YAML configs, and algorithm names in security documentation. No executable code, network calls, file access, or command execution capabilities exist. The skill does not generate, store, or transmit any certificates or keys.

2
Files scanned
527
Lines analyzed
2
findings
4
Total audits

Risk Factors

🌐 Network access (6)
skill-report.json:6 SKILL.md:344 SKILL.md:345 SKILL.md:346 SKILL.md:347 SKILL.md:198
⚙️ External commands (17)
SKILL.md:23-37 SKILL.md:37-41 SKILL.md:41-52 SKILL.md:52-58 SKILL.md:58-96 SKILL.md:96-100 SKILL.md:100-137 SKILL.md:137-141 SKILL.md:141-184 SKILL.md:184-188 SKILL.md:188-260 SKILL.md:260-264 SKILL.md:264-289 SKILL.md:289-293 SKILL.md:293-304 SKILL.md:304-308 SKILL.md:308-325
Audited by: claude View Audit History →

Quality Score

38
Architecture
100
Maintainability
87
Content
29
Community
100
Security
91
Spec Compliance

What You Can Build

Deploy service mesh security

Configure mesh-wide mTLS policies and certificate management for multi-tenant Kubernetes clusters

Debug mTLS failures

Diagnose and resolve TLS handshake failures between services using istioctl and kubectl commands

Implement zero-trust architecture

Design and document certificate hierarchies and mTLS requirements for compliance with PCI-DSS or HIPAA

Try These Prompts

Enable strict mTLS 
Enable strict mTLS across my Istio mesh in the production namespace. Create PeerAuthentication and DestinationRule resources for namespace-level enforcement.
Cert-manager integration 
Configure cert-manager to issue workload certificates for my Istio services with 24-hour duration and automatic renewal before expiry.
SPIFFE workload identity 
Create SPIRE Server and Agent configurations for workload identity in a multi-cluster Kubernetes environment with example.org trust domain.
Debug TLS handshake 
My Istio services cannot communicate. Use istioctl commands to check peer authentication status, destination rules, and debug TLS handshake errors.

Best Practices

  • Start with PERMISSIVE mode during migration, then transition to STRICT after validating all services
  • Use short-lived certificates (24 hours or less) with automatic rotation for workload identities
  • Monitor certificate expiry and set up alerts to prevent service disruptions

Avoid

  • Disabling mTLS for convenience in production environments
  • Using self-signed certificates without a proper CA hierarchy
  • Ignoring certificate expiry dates or skipping rotation planning

Frequently Asked Questions

Which service mesh platforms are supported?
Istio, Linkerd, and SPIFFE/SPIRE are fully covered. Templates include PeerAuthentication, DestinationRule, Server, and SPIRE configurations.
What certificate validity periods are recommended?
Use 24-hour certificates for workloads with automatic renewal. Root CA certificates can have longer validity with proper rotation planning.
How does this skill integrate with existing tools?
This skill generates YAML manifests. Apply them with kubectl or integrate with GitOps tools like ArgoCD or Flux.
Is my certificate data safe?
This skill does not generate, store, or transmit any certificates. All certificate data is handled by your cluster's cert-manager or CA infrastructure.
Why are my services failing after enabling mTLS?
Check if services support mTLS, verify DestinationRules are applied, and ensure sidecar proxies have reloaded. Use PERMISSIVE mode during migration.
How is this different from standard TLS?
mTLS requires both client and server to present certificates. This provides bidirectional authentication for zero-trust service-to-service communication.

Developer Details

Author

wshobson

License

MIT

Repository

https://github.com/wshobson/agents/tree/main/plugins/cloud-infrastructure/skills/mtls-configuration

Ref

main

File structure

📄 SKILL.md