mtls-configuration
Configure mutual TLS (mTLS) for zero-trust service-to-service communication. Use when implementing zero-trust networking, certificate management, or securing internal service communication.
83
59%
Does it follow best practices?
Impact
98%
1.05xAverage score across 6 eval scenarios
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./plugins/cloud-infrastructure/skills/mtls-configuration/SKILL.mdEvaluation results
100%
7%Zero-Trust Migration for a Fintech Service Mesh
Istio mTLS migration policy
Mesh-wide STRICT mode
100%
100%
Legacy namespace PERMISSIVE
100%
100%
Payment port STRICT
30%
100%
Metrics port disabled
100%
100%
PeerAuthentication API version
100%
100%
DestinationRule ISTIO_MUTUAL
100%
100%
DestinationRule API version
100%
100%
No production DISABLE
100%
100%
Migration rationale documented
100%
100%
workload selector present
100%
100%
100%
Automated Certificate Management for Healthcare Microservices
cert-manager certificate lifecycle
Short-lived duration
100%
100%
Early renewBefore
100%
100%
Server auth usage
100%
100%
Client auth usage
100%
100%
Short name DNS
100%
100%
Namespace-qualified DNS
100%
100%
FQDN DNS
100%
100%
Uses ClusterIssuer
100%
100%
CA-backed issuer
100%
100%
Renewal rationale documented
100%
100%
Certificate API version
100%
100%
92%
Securing External API Connections and Diagnosing mTLS Failures
External service TLS modes and debugging
MUTUAL mode for partner API
100%
100%
Client cert in MUTUAL
100%
100%
Private key in MUTUAL
100%
100%
CA certs in MUTUAL
100%
100%
SIMPLE mode for analytics API
100%
100%
CA certs in SIMPLE
0%
0%
No client certs in SIMPLE
100%
100%
istioctl tls-check in runbook
100%
100%
Cert expiry check in runbook
100%
100%
Debug log level in runbook
100%
100%
DestinationRule API version
100%
100%
No DISABLE mode used
100%
100%
100%
19%Linkerd Service Mesh Configuration for E-commerce Platform
Linkerd mTLS configuration and verification
skip-outbound-ports annotation
100%
100%
Server resource present
60%
100%
Server podSelector
100%
100%
Server proxyProtocol
100%
100%
linkerd viz edges in runbook
100%
100%
linkerd viz tap in runbook
100%
100%
linkerd identity in runbook
50%
100%
No mTLS disabled in mesh
100%
100%
Runbook documents mTLS status check
100%
100%
Policy API version
0%
100%
100%
3%SPIFFE/SPIRE Zero-Trust Workload Identity for Kubernetes
SPIFFE/SPIRE workload identity configuration
trust_domain configured
100%
100%
ca_ttl set to 168h
100%
100%
default_x509_svid_ttl set to 1h
70%
100%
k8s_psat NodeAttestor
100%
100%
service_account_allow_list
100%
100%
sql DataStore plugin
100%
100%
UpstreamAuthority disk plugin
100%
100%
SPIRE Agent image version
100%
100%
Agent socket mountPath
100%
100%
Agent socket hostPath
100%
100%
SPIRE in spire namespace
100%
100%
100%
2%mTLS Certificate Health Audit and Rotation Procedures
Certificate rotation and mTLS audit runbook
kubectl rollout restart for rotation
100%
100%
istioctl proxy-config secret for expiry
80%
100%
kubectl get peerauthentication --all-namespaces
100%
100%
kubectl get destinationrule --all-namespaces
100%
100%
No self-signed issuers
100%
100%
Proper CA hierarchy described
100%
100%
TLS error logging mentioned
100%
100%
Cert expiry alerting covered
100%
100%
CA rotation addressed
100%
100%
No mTLS disabled in production
100%
100%
Automated rotation emphasized
100%
100%
- Repository
- wshobson/agents
- Commit
70444e5
- Evaluated
- Agent
- Claude Code
- Model
- Claude Sonnet 4.6
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.