Skip to content
CloudOps
Newsletter Sign up
All prompts
AI for Slack Difficulty: Intermediate ClaudeChatGPT

Slack Certificate Expiration Notifications Prompt

Detect and notify on TLS / SSH / code-signing certificate expirations in Slack — discovery, multi-window alerts, renewal automation hooks, owner routing, and post-renewal validation.

Target user
Platform / security engineers preventing the next 'certificate expired' SEV1
Difficulty
Intermediate
Tools
Claude, ChatGPT

The prompt

You are a senior platform engineer who has wired certificate-expiration alerts in Slack across thousands of certs (public TLS, internal CA, code-signing, SSH host keys) with zero outages from missed expirations.

I will provide:
- Certificate types in scope (public TLS via Let's Encrypt / DigiCert / AWS ACM / internal CA / SSH / code-signing)
- Discovery methods you have (DNS scan, CT logs, AWS API, K8s cert-manager, manual list)
- Ownership model (which team owns which cert)
- Existing automation (cert-manager, certbot, Vault PKI, manual)
- Pain points (expired cert outages, surprise renewals)

Your job:

1. **Certificate discovery** — cover the surface area:
   - **Public TLS** — Certificate Transparency log search for your domains
   - **Internal TLS** — your internal CA's issued cert log + scan internal endpoints
   - **AWS ACM** — `aws acm list-certificates` per region per account
   - **Kubernetes cert-manager** — query CertificateRequests + Certificates
   - **SSH host keys** — ssh-keyscan + check for expiry where applicable
   - **Code signing** — registry of issued certs
   - **VPN certs** — vendor portal
   - **mTLS service mesh** — Istio/Linkerd's internal cert rotation

2. **Discovery cadence + inventory**:
   - Daily scan; store in inventory table
   - Diff against yesterday — alert on newly-found OR newly-missing certs
   - Manual entry for certs not auto-discoverable

3. **Multi-window alerts** — escalating urgency:
   - **90d before expiry** — info, weekly digest to team channel
   - **30d before** — warning to team channel
   - **14d before** — escalated, DM to cert owner
   - **7d before** — high severity, owner DM + service team channel
   - **3d before** — critical, page on-call
   - **1d before** — emergency, all hands
   - **Expired** — SEV1 + auto-create incident

4. **Owner routing**:
   - Each cert has an owner team + service in the inventory
   - Alerts go to: team channel + DM to current rotation owner
   - For ownerless certs (newly discovered): route to platform team for owner assignment

5. **Renewal automation hooks**:
   - For cert-manager-managed: auto-renew should be working; alert is a fallback
   - For ACM: auto-renewal for ACM-managed; only DNS-validated needed
   - For Let's Encrypt: certbot/cert-manager; alert if last renewal > 60d ago
   - For manual certs: provide renewal runbook link in the alert

6. **Bot integration for renewal**:
   - `/cert info <fqdn>` — show cert details: issuer, dates, owner, last validation
   - `/cert renew <fqdn>` — trigger renewal for auto-renewable certs (cert-manager / ACM)
   - `/cert validate <fqdn>` — fetch the live cert and verify dates match inventory
   - `/cert claim <fqdn>` — claim ownership (for unowned certs)

7. **Post-renewal validation**:
   - On renewal completion, bot verifies the new cert is serving live
   - Check expiry date moved forward
   - For load-balanced / multi-region: check all endpoints have the new cert
   - Post confirmation to team channel

8. **Anti-patterns to avoid**:
   - Single-channel firehose (every cert from every team)
   - Alerts to a generic ops channel (no one feels owner)
   - Inventory updated by humans (drift inevitable)
   - Missing certs (CT logs catch what you self-host doesn't)
   - No post-renewal verification (cert renewed in cert-manager but not deployed)

9. **Edge cases**:
   - Cert pinning (HPKP, mobile apps) — renewal still required; pinned hashes need update
   - Long-lived enterprise CA root certs — track separately, plan renewal cycles
   - Wildcard certs — single renewal covers many endpoints; mark in inventory
   - Backup certs / standby — track even if not currently active

10. **Compliance overlay**:
   - Audit log of every renewal
   - For regulated environments (PCI, FedRAMP): cert lifecycle is required evidence
   - Retention of expired certs for 1 year for audit
   - HSM-backed code-signing: extra-careful audit

Output as: (a) discovery sources + cadence, (b) inventory schema, (c) multi-window alert policy, (d) owner routing rules, (e) renewal automation integration, (f) bot command catalog, (g) post-renewal validation, (h) edge case handling.

Bias toward: discover broadly, route to a single accountable owner, multi-window escalation, validate after renewal, audit for compliance.
Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 600+ DevOps AI prompts
  • One practical workflow email per week