Scenario 02 · certfire

Outage Response

Name the cause, stage the fix, prove you moved.

Outage Response hero illustration
Hero image
certfire — Outage Response

Why this tool exists

When a certificate breaks production, the first 15 minutes decide whether this is a footnote in a status page or a Sev-1 with an executive readout.

certfire takes a hostname, returns the single root cause in plain English, and stages everything you need to push a replacement — a fresh private key, a CSR pre-filled from the broken certificate, and a copy-paste deployment checklist.

Pair it with the runbook in the GitHub folder. The runbook is the second artifact your incident commander needs after the cause is named.

Try it in your browser

Click Run to see the tool produce live output. No install, no signup.

Coming soon

Live Repl for certfire is on the way

The browser-runnable version of this tool launches with the public GitHub release. In the meantime, the sample output below is the same screen you will see on Run.

Jump to sample output

What it does

01Diagnose the outage

python3 certfire.py diagnose expired.badssl.com:443

One screen names the cause: expired, name mismatch, chain incomplete, weak key, revoked, or wrong protocol. Each verdict carries a one-line remediation pointer.

02Stage the replacement

python3 certfire.py stage expired.badssl.com:443 --out ./replacement

Generates a 2048-bit RSA key (or P-256, your choice), builds a CSR with the original Subject and SANs preserved, and writes a deployment checklist file with the exact commands for your platform.

03Verify post-deploy

python3 certfire.py verify expired.badssl.com:443 --expect-not-after 2027-03-01

Reconnects, confirms the new certificate is live, and writes a PASS/FAIL line to the incident log. This is the artifact you paste into the post-incident ticket.

Sample output

Exactly what the tool writes to your terminal. No mockups — this is real output, copied verbatim.

$ python3 certfire.py diagnose expired.badssl.com:443

[ DIAGNOSIS ]
  Host:          expired.badssl.com:443
  Verdict:       EXPIRED
  Expired on:    2015-04-09  (4063 days ago)
  Issuer:        CN=COMODO RSA Domain Validation Secure Server CA
  Subject:       CN=*.badssl.com

[ STAGE THIS NEXT ]
  python3 certfire.py stage expired.badssl.com:443 --out ./replacement
  -> writes replacement/key.pem, replacement/req.csr, replacement/CHECKLIST.md

Estimated time-to-recovery if you have a CA on standby: ~15 minutes.

Common questions

Get the tool

GitHub

Clone the repo, install one dependency, run the tool.

git clone https://github.com/fixmycert/cert-automation-toolkit.git
cd cert-automation-toolkit
pip install cryptography
Open folder on GitHub

Direct download

Grab the latest release zip — everything in one file.

Download v1.0.0.zip

MIT-licensed. No setup notes beyond the README in the folder.

Get the toolkit and a heads-up when the next scenario drops

One email per release. New tools, new runbooks, new compliance deadlines.

Continue the toolkit