Scenario 04 · certmove

CA-to-CA Migration

Move every endpoint. Prove every move.

CA-to-CA Migration hero illustration
Hero image
certmove — CA-to-CA Migration

Why this tool exists

Switching CAs sounds like a procurement decision. In practice it is a months-long migration that the auditor will eventually ask you to prove — every endpoint, every replacement, every old certificate retired.

certmove plans the migration from a source inventory, tracks replacement as it happens, and writes a tamper-evident evidence log the auditor can verify against the live endpoints.

The PASS/FAIL evidence row is the differentiator. It is the artifact that turns "we believe we migrated" into "here is the proof, signed and timestamped".

Try it in your browser

Click Run to see the tool produce live output. No install, no signup.

Coming soon

Live Repl for certmove is on the way

The browser-runnable version of this tool launches with the public GitHub release. In the meantime, the sample output below is the same screen you will see on Run.

Jump to sample output

What it does

01Plan the migration

python3 certmove.py plan --inventory source_inventory.csv --from-ca Entrust --to-ca Sectigo --out migration_plan.csv

Filters source inventory to certificates issued by the outgoing CA and writes a per-endpoint migration plan with target dates and ownership.

02Verify post-migration

python3 certmove.py verify --inventory post_migration.csv

Re-scans each endpoint, checks that the live certificate is now issued by the new CA, and emits a PASS or FAIL per row. PASS rows include the new serial, fingerprint, and timestamp; FAIL rows surface why.

03Generate the evidence log

python3 certmove.py evidence --verify-output verify.json --out evidence_log.csv

Produces a sorted, hash-chained CSV with one row per endpoint. Hand this to your auditor; pair it with the source inventory and the new CA's issuance log for a complete trail.

Sample output

Exactly what the tool writes to your terminal. No mockups — this is real output, copied verbatim.

$ python3 certmove.py verify --inventory post_migration.csv

[ MIGRATION VERIFICATION — Entrust -> Sectigo ]

  api.example.com:443        PASS  issuer=Sectigo  serial=0x9c:a1:...  not_after=2027-04-11
  www.example.com:443        PASS  issuer=Sectigo  serial=0x9c:a2:...  not_after=2027-04-11
  legacy.example.com:443     FAIL  issuer=Entrust  -- still on old CA, not replaced
  vpn.example.com:443        PASS  issuer=Sectigo  serial=0x9c:a3:...  not_after=2027-04-11

  Summary: 3 PASS, 1 FAIL, 0 unreachable.
  Evidence log written: evidence_log.csv  (sha256: 4a7b2c...)

  -> 1 endpoint still on the old CA. Drive that to zero before retiring trust.

Common questions

Get the tool

GitHub

Clone the repo, install one dependency, run the tool.

git clone https://github.com/fixmycert/cert-automation-toolkit.git
cd cert-automation-toolkit
pip install cryptography
Open folder on GitHub

Direct download

Grab the latest release zip — everything in one file.

Download v1.0.0.zip

MIT-licensed. No setup notes beyond the README in the folder.

Get the toolkit and a heads-up when the next scenario drops

One email per release. New tools, new runbooks, new compliance deadlines.

Continue the toolkit