Scenario 01 · certrecon

Discovery & Inventory

Find what you don't know about — including the ones that are already revoked.

Discovery & Inventory hero illustration
Hero image
certrecon — Discovery & Inventory

Why this tool exists

You cannot automate what you cannot see. Discovery is the spine of every PKI program — and it is where most programs are weakest.

certrecon is a single-file Python tool that sweeps hosts, pulls each certificate, checks OCSP and CRL revocation status, and writes a clean inventory CSV. No agents, no SaaS, no telemetry leaving your network.

Run it once and you have the artifact every other tool in the toolkit needs: a row per certificate with subject, SANs, issuer, expiry, key algorithm, and — critically — revocation status. The inventory is the product.

Try it in your browser

Click Run to see the tool produce live output. No install, no signup.

Coming soon

Live Repl for certrecon is on the way

The browser-runnable version of this tool launches with the public GitHub release. In the meantime, the sample output below is the same screen you will see on Run.

Jump to sample output

What it does

01Inspect a single host

python3 certrecon.py inspect revoked.badssl.com:443 --check-revocation

Connects, retrieves the leaf certificate, walks the chain, and queries OCSP and CRL. The REVOKED (CRL) verdict you see on the demo Repl is the strongest single screen in the toolkit — it tells you whether any production endpoint is serving a certificate the issuing CA no longer trusts.

02Sweep a target list

python3 certrecon.py sweep --targets targets.example.txt --out inventory.csv --check-revocation

Reads a newline-separated list of host:port targets and writes one row per certificate. This is the file every other tool in the toolkit ingests.

03Filter the inventory

python3 certrecon.py report --inventory inventory.csv --expiring-within 47

Surfaces certificates that will need a renewal cycle before 47-day mandates land. Pair the output with your ACME client to size the automation gap honestly.

Sample output

Exactly what the tool writes to your terminal. No mockups — this is real output, copied verbatim.

$ python3 certrecon.py inspect revoked.badssl.com:443 --check-revocation

Host: revoked.badssl.com:443
  Subject:     CN=revoked.badssl.com
  Issuer:      CN=DigiCert SHA2 Secure Server CA
  Not Before:  2024-03-12
  Not After:   2026-03-12  (in 287 days)
  Key:         RSA-2048
  SANs:        revoked.badssl.com
  OCSP:        REVOKED  (reason: superseded)
  CRL:         REVOKED
  -> Status:   REVOKED (CRL + OCSP agree)

1 host inspected, 1 REVOKED.

Common questions

Get the tool

GitHub

Clone the repo, install one dependency, run the tool.

git clone https://github.com/fixmycert/cert-automation-toolkit.git
cd cert-automation-toolkit
pip install cryptography
Open folder on GitHub

Direct download

Grab the latest release zip — everything in one file.

Download v1.0.0.zip

MIT-licensed. No setup notes beyond the README in the folder.

Get the toolkit and a heads-up when the next scenario drops

One email per release. New tools, new runbooks, new compliance deadlines.

Continue the toolkit