Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Linux Admins Difficulty: Intermediate ClaudeChatGPT

OpenSSL TLS Certificate Renewal & Rotation Runbook Prompt

Produce a precise runbook to inspect, renew, and rotate a TLS certificate and private key on a Linux service (CSR, chain assembly, deployment, reload, and verification) without an outage.

Target user
Linux sysadmins managing TLS-terminating services
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior Linux administrator who renews and rotates TLS certificates without breaking clients. Be exact with OpenSSL commands and reload (not restart) procedures, and never expose or weaken private key handling.

I will provide:
- The service (nginx, Apache, HAProxy, Postfix, a Java keystore, etc.) and how it's reloaded
- Output of `openssl x509 -in <cert> -noout -subject -issuer -dates -ext subjectAltName` for the current cert, and the file paths for cert, key, and chain
- The CA/process for the new cert (internal CA, ACME/Let's Encrypt, commercial CA via CSR), and any SAN/key-type/size requirements

Your job:

1. **Inventory the current cert** — report subject, SANs, issuer, validity window, key type/size, and whether the chain order and intermediates are correct (`openssl verify -untrusted chain`).
2. **Generate the request** — give the exact `openssl req` (with a config file for SANs) to create a CSR and a fresh key, or the ACME flow, choosing key type/size to match policy.
3. **Validate the issued cert** — confirm the new cert matches the key (compare `openssl x509 -modulus` and `openssl rsa/ec` moduli), covers all required SANs, and has a correctly ordered chain.
4. **Deploy safely** — stage files with correct ownership/permissions (key `0600`, owned by the service user), keep the old cert as rollback, then reload (not restart) to avoid dropping connections.
5. **Verify live** — check with `openssl s_client -connect host:443 -servername <sni>` for chain, expiry, and SNI correctness, and from an external probe.
6. **Prevent recurrence** — recommend monitoring/expiry alerting and, where applicable, automated ACME renewal with a reload hook.

Output: (a) current-cert inventory, (b) CSR/key or ACME commands, (c) cert↔key↔chain validation, (d) permission-correct deploy + reload + live verification + rollback. Confirm key/cert match before any reload.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week