Outage Response
Name the cause, stage the fix, prove you moved.

Why this tool exists
When a certificate breaks production, the first 15 minutes decide whether this is a footnote in a status page or a Sev-1 with an executive readout.
certfire takes a hostname, returns the single root cause in plain English, and stages everything you need to push a replacement — a fresh private key, a CSR pre-filled from the broken certificate, and a copy-paste deployment checklist.
Pair it with the runbook in the GitHub folder. The runbook is the second artifact your incident commander needs after the cause is named.
Click Run to see the tool produce live output. No install, no signup.
Live Repl for certfire is on the way
The browser-runnable version of this tool launches with the public GitHub release. In the meantime, the sample output below is the same screen you will see on Run.
Jump to sample outputWhat it does
01Diagnose the outage
python3 certfire.py diagnose expired.badssl.com:443One screen names the cause: expired, name mismatch, chain incomplete, weak key, revoked, or wrong protocol. Each verdict carries a one-line remediation pointer.
02Stage the replacement
python3 certfire.py stage expired.badssl.com:443 --out ./replacementGenerates a 2048-bit RSA key (or P-256, your choice), builds a CSR with the original Subject and SANs preserved, and writes a deployment checklist file with the exact commands for your platform.
03Verify post-deploy
python3 certfire.py verify expired.badssl.com:443 --expect-not-after 2027-03-01Reconnects, confirms the new certificate is live, and writes a PASS/FAIL line to the incident log. This is the artifact you paste into the post-incident ticket.
Sample output
Exactly what the tool writes to your terminal. No mockups — this is real output, copied verbatim.
$ python3 certfire.py diagnose expired.badssl.com:443 [ DIAGNOSIS ] Host: expired.badssl.com:443 Verdict: EXPIRED Expired on: 2015-04-09 (4063 days ago) Issuer: CN=COMODO RSA Domain Validation Secure Server CA Subject: CN=*.badssl.com [ STAGE THIS NEXT ] python3 certfire.py stage expired.badssl.com:443 --out ./replacement -> writes replacement/key.pem, replacement/req.csr, replacement/CHECKLIST.md Estimated time-to-recovery if you have a CA on standby: ~15 minutes.
Common questions
Get the tool
GitHub
Clone the repo, install one dependency, run the tool.
git clone https://github.com/fixmycert/cert-automation-toolkit.git
cd cert-automation-toolkit
pip install cryptographyDirect download
Grab the latest release zip — everything in one file.
Download v1.0.0.zipMIT-licensed. No setup notes beyond the README in the folder.
Get the toolkit and a heads-up when the next scenario drops
One email per release. New tools, new runbooks, new compliance deadlines.