From 17223fec0af683b408b0d2cd80554bac2fbb504d Mon Sep 17 00:00:00 2001
From: fOuttaMyPaint <TMhospitalitystrategies@gmail.com>
Date: Sun, 5 Apr 2026 16:59:59 -0400
Subject: [PATCH] v0.8.0: SSL/TLS certificate management

Add 3 new MCP tools (certCheck, certRenew, certList) for certificate lifecycle management via certbot and Nginx Proxy Manager. Add new certificate-management skill. Input validation tests for all 3 tools. Full release hygiene across all docs and config files.

Made-with: Cursor
---
 .cursor-plugin/plugin.json                    |   4 +-
 CHANGELOG.md                                  |  13 ++
 CLAUDE.md                                     |  12 +-
 README.md                                     |  16 +-
 ROADMAP.md                                    |   9 +-
 docs/index.html                               |  21 ++-
 mcp-server/README.md                          |   5 +-
 mcp-server/package-lock.json                  |   4 +-
 mcp-server/package.json                       |   4 +-
 mcp-server/src/index.ts                       |   8 +-
 .../tools/__tests__/input-validation.test.ts  |  61 ++++++++
 mcp-server/src/tools/certCheck.ts             |  36 +++++
 mcp-server/src/tools/certList.ts              |  55 +++++++
 mcp-server/src/tools/certRenew.ts             |  56 +++++++
 skills/certificate-management/SKILL.md        | 144 ++++++++++++++++++
 15 files changed, 420 insertions(+), 28 deletions(-)
 create mode 100644 mcp-server/src/tools/certCheck.ts
 create mode 100644 mcp-server/src/tools/certList.ts
 create mode 100644 mcp-server/src/tools/certRenew.ts
 create mode 100644 skills/certificate-management/SKILL.md

diff --git a/.cursor-plugin/plugin.json b/.cursor-plugin/plugin.json
index 17fe729..39e2f1a 100644
--- a/.cursor-plugin/plugin.json
+++ b/.cursor-plugin/plugin.json
@@ -1,8 +1,8 @@
 {
   "name": "home-lab-developer-tools",
   "displayName": "Home Lab Developer Tools",
-  "version": "0.7.0",
-  "description": "Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors - 20 skills, 10 rules, and 41 MCP tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, and system administration on a Raspberry Pi home lab via SSH.",
+  "version": "0.8.0",
+  "description": "Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors - 21 skills, 10 rules, and 44 MCP tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, certificates, and system administration on a Raspberry Pi home lab via SSH.",
   "author": {
     "name": "TMHSDigital",
     "url": "https://github.com/TMHSDigital"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3ad1470..a9edad5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.8.0] - 2026-04-05
+
+### Added
+
+- 3 new MCP tools for SSL/TLS certificate management
+  - `homelab_certCheck` -- check SSL certificate expiry, issuer, and fingerprint for a domain
+  - `homelab_certRenew` -- trigger Let's Encrypt certificate renewal via certbot (requires confirm=true)
+  - `homelab_certList` -- list all managed certificates from certbot and Nginx Proxy Manager
+- 1 new skill
+  - `certificate-management` -- Let's Encrypt, self-signed certs, renewal automation, NPM cert integration
+- Input validation tests for all 3 new tools
+
 ## [0.7.0] - 2026-04-05
 
 ### Added
@@ -137,6 +149,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Full documentation (README, CLAUDE.md, CONTRIBUTING, ROADMAP, SECURITY)
 - Project logo (assets/logo.png)
 
+[0.8.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.8.0
 [0.7.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.7.0
 [0.6.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.6.0
 [0.5.0]: https://github.com/TMHSDigital/Home-Lab-Developer-Tools/releases/tag/v0.5.0
diff --git a/CLAUDE.md b/CLAUDE.md
index c0c58f3..c7cda81 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -4,13 +4,13 @@ Project documentation for Claude Code and AI assistants working on this reposito
 
 ## Project Overview
 
-Home Lab Developer Tools integrates home lab and Raspberry Pi workflows into AI-assisted development. It includes 20 skills, 10 rules, and a companion MCP server with 41 tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, and system administration via SSH.
+Home Lab Developer Tools integrates home lab and Raspberry Pi workflows into AI-assisted development. It includes 21 skills, 10 rules, and a companion MCP server with 44 tools for managing Docker Compose stacks, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, certificates, and system administration via SSH.
 
 **Works with:** Cursor (plugin), Claude Code (terminal and in-editor), and any MCP-compatible client.
 
 This is a monorepo -- the skills, rules, and companion MCP server live in the same repository. The MCP server connects to a Raspberry Pi via SSH to execute commands.
 
-**Version:** 0.7.0
+**Version:** 0.8.0
 **License:** CC-BY-NC-ND-4.0
 **npm:** @tmhs/homelab-mcp
 **Author:** TMHSDigital
@@ -38,7 +38,7 @@ Home-Lab-Developer-Tools/
   tests/                     # Python structure tests
 ```
 
-## Skills (20)
+## Skills (21)
 
 | Skill | Description |
 |-------|-------------|
@@ -60,6 +60,7 @@ Home-Lab-Developer-Tools/
 | notification-workflows | Ntfy setup, alert routing, notification pipelines |
 | os-update-management | Unattended-upgrades, kernel updates, reboot scheduling |
 | performance-tuning | Kernel params, swap config, I/O scheduler, GPU memory split |
+| certificate-management | Let's Encrypt, self-signed certs, renewal automation, NPM cert integration |
 | storage-management | Samba, Syncthing, volumes, disk monitoring |
 | troubleshooting | Debug crashes, network issues, hardware problems |
 
@@ -78,7 +79,7 @@ Home-Lab-Developer-Tools/
 | weak-credentials | compose*.yml, .env* | Flag default/weak passwords and insecure credential storage |
 | resource-limits | compose*.yml | Flag containers without memory or CPU limits |
 
-## MCP Tools (41)
+## MCP Tools (44)
 
 All tools connect to the Pi via SSH using environment variables for configuration.
 
@@ -124,6 +125,9 @@ All tools connect to the Pi via SSH using environment variables for configuratio
 | `homelab_aptHistory` | Show recent apt install/upgrade/remove history |
 | `homelab_kernelInfo` | Kernel version, boot parameters, loaded modules |
 | `homelab_systemdServices` | List systemd units or get status of a specific unit |
+| `homelab_certCheck` | Check SSL certificate expiry, issuer, and fingerprint |
+| `homelab_certRenew` | Trigger Let's Encrypt certificate renewal |
+| `homelab_certList` | List all managed certificates from certbot and NPM |
 | `homelab_sshTest` | Test SSH connectivity |
 
 ## Development
diff --git a/README.md b/README.md
index 295830d..ba190e6 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@
 </p>
 
 <p align="center">
-  <strong>20 skills &nbsp;&bull;&nbsp; 10 rules &nbsp;&bull;&nbsp; 41 MCP tools</strong>
+  <strong>21 skills &nbsp;&bull;&nbsp; 10 rules &nbsp;&bull;&nbsp; 44 MCP tools</strong>
 </p>
 
 ---
@@ -41,9 +41,9 @@ This project works with any AI coding tool that supports skills, rules, or MCP:
 | Component | Cursor | Claude Code (terminal) | Claude Code in Cursor | Other MCP clients |
 |---|:---:|:---:|:---:|:---:|
 | **CLAUDE.md** context | Yes | Yes | Yes | - |
-| **20 Skills** (SKILL.md) | Yes | Yes | Yes | - |
+| **21 Skills** (SKILL.md) | Yes | Yes | Yes | - |
 | **10 Rules** (.mdc) | Yes | Via CLAUDE.md | Yes | - |
-| **41 MCP tools** | Yes | Yes | Yes | Yes |
+| **44 MCP tools** | Yes | Yes | Yes | Yes |
 
 > **Claude Code** reads `CLAUDE.md` automatically and can reference skills. The MCP server works with any client that supports the MCP stdio transport.
 
@@ -71,7 +71,7 @@ flowchart LR
 ---
 
 <details>
-<summary><strong>20 Skills</strong> - on-demand home lab expertise</summary>
+<summary><strong>21 Skills</strong> - on-demand home lab expertise</summary>
 
 &nbsp;
 
@@ -95,6 +95,7 @@ flowchart LR
 | **Notifications** | `notification-workflows` | Ntfy setup, alert routing, notification pipelines |
 | **OS** | `os-update-management` | Unattended-upgrades, kernel updates, reboot scheduling |
 | **OS** | `performance-tuning` | Kernel params, swap config, I/O scheduler, GPU memory split |
+| **Certificates** | `certificate-management` | Let's Encrypt, self-signed certs, renewal automation, NPM cert integration |
 | **Storage** | `storage-management` | Samba, Syncthing, volumes, disk monitoring |
 | **Debug** | `troubleshooting` | Debug crashes, network issues, hardware problems |
 
@@ -128,7 +129,7 @@ The MCP server gives your AI assistant live access to your Raspberry Pi via SSH.
 
 <p align="center">
   <img src="https://img.shields.io/badge/transport-stdio-blue" alt="transport">
-  <img src="https://img.shields.io/badge/tools-41-green" alt="tools">
+  <img src="https://img.shields.io/badge/tools-44-green" alt="tools">
   <img src="https://img.shields.io/badge/runtime-Node%20%E2%89%A5%2020-yellow" alt="runtime">
   <img src="https://img.shields.io/badge/connection-SSH-orange" alt="connection">
 </p>
@@ -153,7 +154,7 @@ Add to your Cursor MCP config (`.cursor/mcp.json`):
 ```
 
 <details>
-<summary><strong>41 MCP Tools</strong> - full tool reference</summary>
+<summary><strong>44 MCP Tools</strong> - full tool reference</summary>
 
 &nbsp;
 
@@ -328,6 +329,7 @@ Any client supporting MCP stdio transport can use the Home Lab MCP server. Point
 | `notification-workflows` | "Send a test notification to my phone via Ntfy" |
 | `os-update-management` | "Are there any security updates pending on my Pi?" |
 | `performance-tuning` | "My Pi is sluggish with 13 containers. How can I optimize it?" |
+| `certificate-management` | "Are any of my SSL certificates expiring soon? Renew them" |
 
 </details>
 
@@ -345,7 +347,7 @@ Any client supporting MCP stdio transport can use the Home Lab MCP server. Point
 | **v0.5.0** | **Security Hardening** | **+4** | **+1** | **+2** | **33** |
 | **v0.6.0** | **Logs and Notifications** | **+4** | **+2** | **--** | **37** |
 | **v0.7.0** | **OS and Package Management** | **+4** | **+2** | **+1** | **41** |
-| v0.8.0 | SSL/TLS Certificates | +3 | +1 | -- | 44 |
+| **v0.8.0** | **SSL/TLS Certificates** | **+3** | **+1** | **--** | **44** |
 | v0.9.0 | Multi-Node Foundation | +4 | +1 | +1 | 48 |
 | v0.10.0 | Testing Infrastructure | +2 | -- | -- | 50 |
 | v0.11.0 | Documentation Site | -- | -- | -- | 50 |
diff --git a/ROADMAP.md b/ROADMAP.md
index e2bc6d6..b03560a 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -162,13 +162,13 @@ Certificate lifecycle management.
 
 **MCP tools (+3):**
 
-- [ ] `homelab_certCheck` -- check SSL cert expiry for a domain/host
-- [ ] `homelab_certRenew` -- trigger Let's Encrypt renewal (requires confirm=true)
-- [ ] `homelab_certList` -- list all managed certificates and their status
+- [x] `homelab_certCheck` -- check SSL cert expiry for a domain/host
+- [x] `homelab_certRenew` -- trigger Let's Encrypt renewal (requires confirm=true)
+- [x] `homelab_certList` -- list all managed certificates and their status
 
 **Skills (+1):**
 
-- [ ] `certificate-management` -- Let's Encrypt, self-signed certs, renewal automation, NPM cert integration
+- [x] `certificate-management` -- Let's Encrypt, self-signed certs, renewal automation, NPM cert integration
 
 ---
 
@@ -271,6 +271,7 @@ Production-ready, fully tested, fully documented.
 
 ## Completed
 
+- v0.8.0: SSL/TLS Certificates -- 3 new tools (certCheck, certRenew, certList), 1 new skill (certificate-management)
 - v0.7.0: OS and Package Management -- 4 new tools (aptUpgradable, aptHistory, kernelInfo, systemdServices), 2 new skills (os-update-management, performance-tuning), 1 new rule (resource-limits)
 - v0.6.0: Logs and Notifications -- 4 new tools (journalLogs, logSearch, ntfySend, ntfyTopics), 2 new skills (log-analysis, notification-workflows)
 - v0.5.0: Security Hardening -- 4 new tools (ufwStatus, fail2banStatus, openPorts, containerScan), 1 new skill (secrets-management), 2 new rules (privileged-containers, weak-credentials)
diff --git a/docs/index.html b/docs/index.html
index f44c0fb..398e049 100644
--- a/docs/index.html
+++ b/docs/index.html
@@ -4,9 +4,9 @@
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>Home Lab Developer Tools</title>
-  <meta name="description" content="Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors. 20 skills, 10 rules, 41 MCP tools.">
+  <meta name="description" content="Home lab and Raspberry Pi workflows for Cursor, Claude Code, and MCP-compatible editors. 21 skills, 10 rules, 44 MCP tools.">
   <meta property="og:title" content="Home Lab Developer Tools">
-  <meta property="og:description" content="20 skills, 10 rules, 41 MCP tools for managing a Raspberry Pi home lab via SSH.">
+  <meta property="og:description" content="21 skills, 10 rules, 44 MCP tools for managing a Raspberry Pi home lab via SSH.">
   <meta property="og:type" content="website">
   <style>
     :root {
@@ -99,14 +99,14 @@
     <div class="container">
       <h1>Home Lab Developer Tools</h1>
       <p>Home lab and Raspberry Pi workflows for Cursor, Claude Code, and any MCP-compatible editor.</p>
-      <span class="version">v0.7.0</span>
+      <span class="version">v0.8.0</span>
     </div>
   </header>
 
   <div class="container">
     <div class="stats">
       <div class="stat">
-        <div class="stat-number" data-target="20">20</div>
+        <div class="stat-number" data-target="21">21</div>
         <div class="stat-label">Skills</div>
       </div>
       <div class="stat">
@@ -114,7 +114,7 @@ <h1>Home Lab Developer Tools</h1>
         <div class="stat-label">Rules</div>
       </div>
       <div class="stat">
-        <div class="stat-number" data-target="41">41</div>
+        <div class="stat-number" data-target="44">44</div>
         <div class="stat-label">MCP Tools</div>
       </div>
     </div>
@@ -233,6 +233,16 @@ <h3>OS / Packages (4)</h3>
         </tbody>
       </table>
 
+      <h3>Certificates (3)</h3>
+      <table>
+        <thead><tr><th>Tool</th><th>Description</th></tr></thead>
+        <tbody>
+          <tr><td><code>homelab_certCheck</code></td><td>Check SSL certificate expiry, issuer, and fingerprint</td></tr>
+          <tr><td><code>homelab_certRenew</code></td><td>Trigger Let's Encrypt certificate renewal</td></tr>
+          <tr><td><code>homelab_certList</code></td><td>List all managed certificates from certbot and NPM</td></tr>
+        </tbody>
+      </table>
+
       <h3>SSH (1)</h3>
       <table>
         <thead><tr><th>Tool</th><th>Description</th></tr></thead>
@@ -265,6 +275,7 @@ <h2>Skills</h2>
           <tr><td>notification-workflows</td><td>Ntfy setup, alert routing, notification pipelines</td></tr>
           <tr><td>os-update-management</td><td>Unattended-upgrades, kernel updates, reboot scheduling</td></tr>
           <tr><td>performance-tuning</td><td>Kernel params, swap config, I/O scheduler, GPU memory split</td></tr>
+          <tr><td>certificate-management</td><td>Let's Encrypt, self-signed certs, renewal automation, NPM cert integration</td></tr>
           <tr><td>storage-management</td><td>Samba, Syncthing, volumes, disk monitoring</td></tr>
           <tr><td>troubleshooting</td><td>Debug crashes, network issues, hardware problems</td></tr>
         </tbody>
diff --git a/mcp-server/README.md b/mcp-server/README.md
index d8ee76a..d4a7a04 100644
--- a/mcp-server/README.md
+++ b/mcp-server/README.md
@@ -1,6 +1,6 @@
 # Home Lab MCP Server
 
-MCP (Model Context Protocol) server for home lab operations. Connects to a Raspberry Pi via SSH and provides 41 tools for system management, Docker Compose stacks, service monitoring, networking, backups, disaster recovery, security auditing, log analysis, notifications, and OS management.
+MCP (Model Context Protocol) server for home lab operations. Connects to a Raspberry Pi via SSH and provides 44 tools for system management, Docker Compose stacks, service monitoring, networking, backups, disaster recovery, security auditing, log analysis, notifications, OS management, and certificate lifecycle.
 
 ## Tools
 
@@ -46,6 +46,9 @@ MCP (Model Context Protocol) server for home lab operations. Connects to a Raspb
 | OS | `homelab_aptHistory` | Show recent apt install/upgrade/remove history |
 | OS | `homelab_kernelInfo` | Kernel version, boot parameters, loaded modules |
 | OS | `homelab_systemdServices` | List systemd units or get status of a specific unit |
+| Certificates | `homelab_certCheck` | Check SSL certificate expiry, issuer, and fingerprint |
+| Certificates | `homelab_certRenew` | Trigger Let's Encrypt certificate renewal |
+| Certificates | `homelab_certList` | List all managed certificates from certbot and NPM |
 | SSH | `homelab_sshTest` | Test SSH connectivity |
 
 ## Setup
diff --git a/mcp-server/package-lock.json b/mcp-server/package-lock.json
index 8ef5aed..9697f08 100644
--- a/mcp-server/package-lock.json
+++ b/mcp-server/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@tmhs/homelab-mcp",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@tmhs/homelab-mcp",
-      "version": "0.7.0",
+      "version": "0.8.0",
       "license": "CC-BY-NC-ND-4.0",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.12.1",
diff --git a/mcp-server/package.json b/mcp-server/package.json
index dd500d6..4ba2964 100644
--- a/mcp-server/package.json
+++ b/mcp-server/package.json
@@ -1,7 +1,7 @@
 {
   "name": "@tmhs/homelab-mcp",
-  "version": "0.7.0",
-  "description": "MCP server for home lab operations via SSH - 41 tools for system status, Docker Compose management, service health, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, and administration on a Raspberry Pi.",
+  "version": "0.8.0",
+  "description": "MCP server for home lab operations via SSH - 44 tools for system status, Docker Compose management, service health, monitoring, DNS, reverse proxy, networking, backups, disaster recovery, security auditing, logs, notifications, OS management, certificates, and administration on a Raspberry Pi.",
   "type": "module",
   "main": "dist/index.js",
   "bin": {
diff --git a/mcp-server/src/index.ts b/mcp-server/src/index.ts
index 3049013..44b42ad 100644
--- a/mcp-server/src/index.ts
+++ b/mcp-server/src/index.ts
@@ -44,10 +44,13 @@ import { register as registerAptUpgradable } from "./tools/aptUpgradable.js";
 import { register as registerAptHistory } from "./tools/aptHistory.js";
 import { register as registerKernelInfo } from "./tools/kernelInfo.js";
 import { register as registerSystemdServices } from "./tools/systemdServices.js";
+import { register as registerCertCheck } from "./tools/certCheck.js";
+import { register as registerCertRenew } from "./tools/certRenew.js";
+import { register as registerCertList } from "./tools/certList.js";
 
 const server = new McpServer({
   name: "homelab-mcp",
-  version: "0.7.0",
+  version: "0.8.0",
 });
 
 registerPiStatus(server);
@@ -91,6 +94,9 @@ registerAptUpgradable(server);
 registerAptHistory(server);
 registerKernelInfo(server);
 registerSystemdServices(server);
+registerCertCheck(server);
+registerCertRenew(server);
+registerCertList(server);
 
 async function main(): Promise<void> {
   const transport = new StdioServerTransport();
diff --git a/mcp-server/src/tools/__tests__/input-validation.test.ts b/mcp-server/src/tools/__tests__/input-validation.test.ts
index c1b0da3..a043def 100644
--- a/mcp-server/src/tools/__tests__/input-validation.test.ts
+++ b/mcp-server/src/tools/__tests__/input-validation.test.ts
@@ -685,4 +685,65 @@ describe("input validation schemas", () => {
       expect(() => schema.parse({ type: "target" })).toThrow();
     });
   });
+
+  describe("certCheck", () => {
+    const schema = z.object({
+      domain: z.string().min(1),
+    });
+
+    it("requires domain", () => {
+      expect(() => schema.parse({})).toThrow();
+    });
+
+    it("accepts a domain", () => {
+      const result = schema.parse({ domain: "example.com" });
+      expect(result.domain).toBe("example.com");
+    });
+
+    it("accepts host:port format", () => {
+      const result = schema.parse({ domain: "example.com:8443" });
+      expect(result.domain).toBe("example.com:8443");
+    });
+
+    it("rejects empty domain", () => {
+      expect(() => schema.parse({ domain: "" })).toThrow();
+    });
+  });
+
+  describe("certRenew", () => {
+    const schema = z.object({
+      domain: z.string().optional(),
+      confirm: z.boolean(),
+    });
+
+    it("requires confirm", () => {
+      expect(() => schema.parse({})).toThrow();
+    });
+
+    it("accepts confirm only (renew all)", () => {
+      const result = schema.parse({ confirm: true });
+      expect(result.confirm).toBe(true);
+      expect(result.domain).toBeUndefined();
+    });
+
+    it("accepts domain and confirm", () => {
+      const result = schema.parse({ domain: "example.com", confirm: true });
+      expect(result.domain).toBe("example.com");
+      expect(result.confirm).toBe(true);
+    });
+
+    it("accepts confirm=false", () => {
+      const result = schema.parse({ confirm: false });
+      expect(result.confirm).toBe(false);
+    });
+  });
+
+  describe("certList (no params)", () => {
+    const schema = z.object({});
+
+    it("accepts empty input", () => {
+      const result = schema.parse({});
+      expect(result).toEqual({});
+    });
+  });
 });
diff --git a/mcp-server/src/tools/certCheck.ts b/mcp-server/src/tools/certCheck.ts
new file mode 100644
index 0000000..10e0384
--- /dev/null
+++ b/mcp-server/src/tools/certCheck.ts
@@ -0,0 +1,36 @@
+import { z } from "zod";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {
+  domain: z
+    .string()
+    .min(1)
+    .describe("Domain or host:port to check SSL certificate for (e.g. 'example.com' or 'example.com:8443')"),
+};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_certCheck",
+    "Check SSL certificate expiry, issuer, and fingerprint for a domain",
+    inputSchema,
+    async (args) => {
+      try {
+        const target = args.domain.includes(":") ? args.domain : `${args.domain}:443`;
+        const serverName = args.domain.split(":")[0];
+        const cmd =
+          `echo | openssl s_client -servername '${serverName}' -connect '${target}' 2>/dev/null ` +
+          `| openssl x509 -noout -subject -issuer -dates -fingerprint 2>&1`;
+        const output = await execSSH(cmd);
+        return {
+          content: [{
+            type: "text" as const,
+            text: output || `Could not retrieve certificate for ${args.domain}. Verify the host is reachable and serving TLS.`,
+          }],
+        };
+      } catch (error) {
+        return errorResponse(error);
+      }
+    },
+  );
+}
diff --git a/mcp-server/src/tools/certList.ts b/mcp-server/src/tools/certList.ts
new file mode 100644
index 0000000..8d3ce92
--- /dev/null
+++ b/mcp-server/src/tools/certList.ts
@@ -0,0 +1,55 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_certList",
+    "List all managed SSL certificates from certbot and Nginx Proxy Manager",
+    inputSchema,
+    async () => {
+      const sections: string[] = [];
+
+      try {
+        const certbotCheck = await execSSH(
+          "command -v certbot >/dev/null 2>&1 && echo 'installed' || echo 'missing'",
+        );
+
+        if (certbotCheck.trim() === "installed") {
+          const certbotOutput = await execSSH("sudo certbot certificates 2>&1");
+          sections.push("=== Certbot Certificates ===\n" + certbotOutput);
+        } else {
+          sections.push("=== Certbot ===\nNot installed. Skipping.");
+        }
+      } catch (error) {
+        sections.push("=== Certbot ===\nFailed to query certbot certificates.");
+      }
+
+      try {
+        const npmPort = process.env.HOMELAB_NPM_PORT
+          ? parseInt(process.env.HOMELAB_NPM_PORT, 10)
+          : 81;
+        const email = process.env.HOMELAB_NPM_EMAIL || "admin@example.com";
+        const password = process.env.HOMELAB_NPM_PASSWORD || "changeme";
+        const payload = JSON.stringify({ identity: email, secret: password });
+
+        const tokenOutput = await execSSH(
+          `curl -sf -X POST -H 'Content-Type: application/json' ` +
+            `-d '${payload}' 'http://localhost:${npmPort}/api/tokens'`,
+        );
+        const token = JSON.parse(tokenOutput).token;
+
+        const certsOutput = await execSSH(
+          `curl -sf -H 'Authorization: Bearer ${token}' ` +
+            `'http://localhost:${npmPort}/api/nginx/certificates'`,
+        );
+        sections.push("\n=== Nginx Proxy Manager Certificates ===\n" + certsOutput);
+      } catch {
+        sections.push("\n=== Nginx Proxy Manager ===\nCould not query NPM certificates. Check connectivity and credentials.");
+      }
+
+      return { content: [{ type: "text" as const, text: sections.join("\n") }] };
+    },
+  );
+}
diff --git a/mcp-server/src/tools/certRenew.ts b/mcp-server/src/tools/certRenew.ts
new file mode 100644
index 0000000..c598a54
--- /dev/null
+++ b/mcp-server/src/tools/certRenew.ts
@@ -0,0 +1,56 @@
+import { z } from "zod";
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { execSSH, errorResponse } from "../utils/ssh-api.js";
+
+const inputSchema = {
+  domain: z
+    .string()
+    .optional()
+    .describe("Specific certificate name to renew. Renews all eligible certificates if omitted"),
+  confirm: z
+    .boolean()
+    .describe("Safety gate -- must be true to proceed with renewal"),
+};
+
+export function register(server: McpServer): void {
+  server.tool(
+    "homelab_certRenew",
+    "Trigger Let's Encrypt certificate renewal via certbot",
+    inputSchema,
+    async (args) => {
+      if (!args.confirm) {
+        return {
+          content: [{
+            type: "text" as const,
+            text: "Renewal aborted -- set confirm=true to proceed.",
+          }],
+        };
+      }
+
+      try {
+        const certbotCheck = await execSSH(
+          "command -v certbot >/dev/null 2>&1 && echo 'installed' || echo 'missing'",
+        );
+
+        if (certbotCheck.trim() === "missing") {
+          return {
+            content: [{
+              type: "text" as const,
+              text: "certbot is not installed on the Pi. Install it with:\n\n" +
+                "sudo apt install -y certbot\n\n" +
+                "If using Nginx Proxy Manager, certificates are managed through NPM's UI instead.",
+            }],
+          };
+        }
+
+        const cmd = args.domain
+          ? `sudo certbot renew --cert-name '${args.domain}' --force-renewal 2>&1`
+          : "sudo certbot renew 2>&1";
+        const output = await execSSH(cmd);
+        return { content: [{ type: "text" as const, text: output }] };
+      } catch (error) {
+        return errorResponse(error);
+      }
+    },
+  );
+}
diff --git a/skills/certificate-management/SKILL.md b/skills/certificate-management/SKILL.md
new file mode 100644
index 0000000..c0d37bc
--- /dev/null
+++ b/skills/certificate-management/SKILL.md
@@ -0,0 +1,144 @@
+---
+name: certificate-management
+description: Let's Encrypt, self-signed certs, renewal automation, NPM cert integration
+tools:
+  - homelab_certCheck
+  - homelab_certRenew
+  - homelab_certList
+  - homelab_npmCerts
+---
+
+# Certificate Management
+
+Guide the user through SSL/TLS certificate lifecycle management, including Let's Encrypt provisioning, renewal automation, self-signed certificate generation, and Nginx Proxy Manager certificate integration.
+
+## Trigger
+
+- User asks about SSL certificates, HTTPS, or TLS on their home lab
+- User wants to check certificate expiry dates
+- User mentions "certbot", "Let's Encrypt", "SSL", "TLS", "HTTPS", or "certificate"
+- User wants to renew or provision a certificate
+- User asks about NPM certificate management
+- User wants to set up automatic certificate renewal
+- User reports browser certificate warnings
+
+## Required Inputs
+
+- SSH connectivity to the Raspberry Pi (validated via `homelab_sshTest`)
+
+Optional:
+- Domain name(s) to check or renew
+- certbot installed (for Let's Encrypt workflows)
+- Nginx Proxy Manager running (for NPM cert workflows)
+
+## Workflow
+
+### Check Certificate Status
+
+1. Run `homelab_certList` to see all certificates from both certbot and NPM.
+2. For a specific domain, run `homelab_certCheck` with the domain to get expiry, issuer, and fingerprint.
+3. Identify certificates expiring within 30 days for priority renewal.
+
+### Renew Certificates
+
+1. Check current status with `homelab_certList`.
+2. For certbot-managed certs, run `homelab_certRenew` with `confirm: true`.
+3. For a specific domain only, pass the `domain` parameter.
+4. For NPM-managed certs, renewal happens automatically through NPM's built-in ACME -- check via `homelab_npmCerts`.
+
+### Set Up Automatic Renewal
+
+certbot installs a systemd timer by default. Verify it:
+
+1. Check the timer with `homelab_systemdServices` using `unit: "certbot.timer"`.
+2. If missing, create one:
+
+```bash
+sudo systemctl enable --now certbot.timer
+```
+
+3. The timer runs twice daily; certbot only renews certs within 30 days of expiry.
+4. Add a post-renewal hook to reload services:
+
+```bash
+# /etc/letsencrypt/renewal-hooks/deploy/reload-npm.sh
+#!/bin/bash
+docker restart npm
+```
+
+### Generate Self-Signed Certificates
+
+For internal services that don't need public trust:
+
+```bash
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+  -keyout /opt/homelab/certs/self-signed.key \
+  -out /opt/homelab/certs/self-signed.crt \
+  -subj "/CN=homelab.local"
+```
+
+Import into NPM as a custom certificate for internal-only services.
+
+### NPM Certificate Integration
+
+1. Check NPM certificates with `homelab_npmCerts`.
+2. NPM can provision Let's Encrypt certificates directly through its UI.
+3. For wildcard certificates, use DNS challenge (requires a DNS provider API token).
+4. NPM auto-renews its own certificates -- no certbot needed for NPM-managed domains.
+
+## Key References
+
+- certbot documentation: https://certbot.eff.org
+- Let's Encrypt rate limits: 50 certs per registered domain per week
+- NPM certificate management in the admin UI
+- `/etc/letsencrypt/` directory for certbot configuration and certificates
+- systemd timers for automated renewal scheduling
+
+## Example Interaction
+
+**User:** Are any of my SSL certificates about to expire?
+
+**Assistant:**
+
+1. Let me check all managed certificates.
+
+   *Calls `homelab_certList`*
+
+   Found 3 certbot certificates and 5 NPM certificates. The certbot cert for `grafana.example.com` expires in 12 days -- it needs renewal.
+
+2. Let me check the details on that certificate.
+
+   *Calls `homelab_certCheck` with domain "grafana.example.com"*
+
+   Confirmed: expires April 17, 2026. Issued by Let's Encrypt. Let me renew it.
+
+3. Renewing the certificate.
+
+   *Calls `homelab_certRenew` with domain "grafana.example.com", confirm true*
+
+   Successfully renewed. New expiry is July 16, 2026.
+
+   I also checked your certbot timer -- it's active and running twice daily, so this shouldn't happen again. The cert was likely stuck due to a DNS validation issue. All other certificates are valid for at least 45 days.
+
+## MCP Usage
+
+- `homelab_certCheck` -- check expiry, issuer, and fingerprint for a specific domain
+- `homelab_certRenew` -- trigger Let's Encrypt renewal for one or all certificates (requires confirm=true)
+- `homelab_certList` -- list all certificates from certbot and NPM in one view
+- `homelab_npmCerts` -- list NPM-managed SSL certificates and expiry dates
+
+## Common Pitfalls
+
+- certbot renewal requires port 80 to be accessible for HTTP-01 challenges (or DNS-01 for wildcard)
+- Let's Encrypt has rate limits -- don't force-renew repeatedly during testing
+- NPM and certbot can conflict if both manage the same domain
+- Self-signed certificates trigger browser warnings -- only use for internal services
+- certbot needs to reload the web server after renewal -- configure deploy hooks
+- Wildcard certificates require DNS challenge, not HTTP challenge
+
+## See Also
+
+- `reverse-proxy-management` skill for NPM proxy host configuration
+- `network-configuration` skill for DNS and port management
+- `notification-workflows` skill for alerting on certificate expiry
+- `security-hardening` skill for TLS configuration best practices