Mass Revocation Response Plan Kit - response plan template, tabletop exercise kit, and quick-reference page for CA mass revocation events
CA/Browser Forum BR § 4.9.1.1 · 24-Hour & 5-Day Clocks

When the CA calls, the clock is already running.

The Baseline Requirements give your CA no discretion: some revocations happen in 24 hours, the rest within 5 days — whether you're ready or not. This kit is the plan you fill in before that email arrives, plus the tabletop exercise that proves it works.

Instant download · Response plan + tabletop kit + quick reference · Single-organization license

New to the topic? Read the free mass revocation readiness deep-dive →

The rules leave no room to negotiate

24 hours

Key compromise, mis-issuance evidence

BR § 4.9.1.1: the CA SHALL revoke within 24 hours for the most severe triggers. Not "may." Not "after coordinating with the subscriber." Shall.

5 days

Everything else on the list

Policy violations, validation errors, terms-of-use breaches — the 5-day clock covers a long list of triggers, and batch events regularly sweep thousands of certificates at once.

Mozilla root program

CAs must maintain and test mass revocation plans

Your CA is required to rehearse revoking you at scale. This kit is the subscriber-side equivalent — with an annual tabletop test built in.

Real events

This keeps happening

Entrust's browser distrust. DigiCert's DCV bug revocations. Batch mis-issuance sweeps. The tabletop scenarios in this kit are modeled on events that already happened.

Three working documents. Zero improvisation at 2 a.m.

Fill in the plan once, run the tabletop once a year, pin up the quick reference. That's the whole system.

Response Plan Template

Word + Markdown

A fill-in plan covering roles, escalation, CA communications, reissuance sequencing, and post-incident review — with 11 practitioner guidance boxes explaining the judgment calls.

  • 11 guidance boxes — the "why" behind each section
  • Editable in Word or any Markdown tool

Tabletop Exercise Kit

Word + Markdown

Three facilitated scenarios modeled on real events — an Entrust-style distrust, a batch revocation sweep, and a 24-hour DCV failure — plus a 20-point scoring rubric.

  • 3 scenarios with injects and facilitator notes
  • 20-point rubric — score the annual test, track improvement

Quick-Reference Page

PDF · one page

The first-hour checklist on one page: clocks, contacts, first moves. Pin it up where the on-call engineer will actually see it.

  • Print-ready, designed for the wall or the wiki
  • The 24-hour and 5-day trigger lists at a glance

The event is survivable. The improvisation isn't.

Teams that struggle in mass revocation events don't fail because reissuing certificates is hard — they fail because nobody knew who owned the decision, which systems came first, or what to tell the business. A plan you've tested once a year turns a 3 a.m. crisis into a checklist. That's the entire pitch.

Kept current

The kit is revised when CA/Browser Forum requirements and root program policies change. Purchasers keep lifetime access to the current version — the same compliance monitoring engine that powers fixmycert.com/compliance tracks the revocation rules so updates ship when the rules move.

One-time purchase

$149
  • Mass Revocation Response Plan template (Word + Markdown)
  • 11 practitioner guidance boxes throughout the plan
  • Tabletop Exercise Kit — 3 real-event scenarios (Word + Markdown)
  • 20-point scoring rubric for the annual test
  • One-page quick-reference PDF for the on-call wall
  • Lifetime access to the current version
  • Single-organization license

Secure checkout via Stripe. Download link delivered instantly.

Want the technical tooling first? See the free mass revocation scripts →

Common Questions

Building the full governance stack?

The response plan slots into the documentation set auditors ask for next. Compliance-in-a-Box ($499) covers the CP/CPS template, key ceremony script, and naming convention guide.