
When the CA calls, the clock is already running.
The Baseline Requirements give your CA no discretion: some revocations happen in 24 hours, the rest within 5 days — whether you're ready or not. This kit is the plan you fill in before that email arrives, plus the tabletop exercise that proves it works.
Instant download · Response plan + tabletop kit + quick reference · Single-organization license
New to the topic? Read the free mass revocation readiness deep-dive →The rules leave no room to negotiate
Key compromise, mis-issuance evidence
BR § 4.9.1.1: the CA SHALL revoke within 24 hours for the most severe triggers. Not "may." Not "after coordinating with the subscriber." Shall.
Everything else on the list
Policy violations, validation errors, terms-of-use breaches — the 5-day clock covers a long list of triggers, and batch events regularly sweep thousands of certificates at once.
CAs must maintain and test mass revocation plans
Your CA is required to rehearse revoking you at scale. This kit is the subscriber-side equivalent — with an annual tabletop test built in.
This keeps happening
Entrust's browser distrust. DigiCert's DCV bug revocations. Batch mis-issuance sweeps. The tabletop scenarios in this kit are modeled on events that already happened.
Three working documents. Zero improvisation at 2 a.m.
Fill in the plan once, run the tabletop once a year, pin up the quick reference. That's the whole system.
Response Plan Template
Word + MarkdownA fill-in plan covering roles, escalation, CA communications, reissuance sequencing, and post-incident review — with 11 practitioner guidance boxes explaining the judgment calls.
- 11 guidance boxes — the "why" behind each section
- Editable in Word or any Markdown tool
Tabletop Exercise Kit
Word + MarkdownThree facilitated scenarios modeled on real events — an Entrust-style distrust, a batch revocation sweep, and a 24-hour DCV failure — plus a 20-point scoring rubric.
- 3 scenarios with injects and facilitator notes
- 20-point rubric — score the annual test, track improvement
Quick-Reference Page
PDF · one pageThe first-hour checklist on one page: clocks, contacts, first moves. Pin it up where the on-call engineer will actually see it.
- Print-ready, designed for the wall or the wiki
- The 24-hour and 5-day trigger lists at a glance
The event is survivable. The improvisation isn't.
Teams that struggle in mass revocation events don't fail because reissuing certificates is hard — they fail because nobody knew who owned the decision, which systems came first, or what to tell the business. A plan you've tested once a year turns a 3 a.m. crisis into a checklist. That's the entire pitch.
Kept current
The kit is revised when CA/Browser Forum requirements and root program policies change. Purchasers keep lifetime access to the current version — the same compliance monitoring engine that powers fixmycert.com/compliance tracks the revocation rules so updates ship when the rules move.
One-time purchase
- Mass Revocation Response Plan template (Word + Markdown)
- 11 practitioner guidance boxes throughout the plan
- Tabletop Exercise Kit — 3 real-event scenarios (Word + Markdown)
- 20-point scoring rubric for the annual test
- One-page quick-reference PDF for the on-call wall
- Lifetime access to the current version
- Single-organization license
Secure checkout via Stripe. Download link delivered instantly.
Want the technical tooling first? See the free mass revocation scripts →
Start with the free material
Mass Revocation Readiness (blog)
The deep-dive on why mass revocation events happen, what the BRs require, and what readiness actually looks like.
Mass Revocation Scripts (free toolkit)
Open-source scripts for finding affected certificates and sequencing reissuance. The kit's plan tells your team when and how to run them.
The compliance shelf
Mass Revocation Response Plan Kit
Survive the 24-hour clock. Response plan template, tabletop exercise kit, quick-reference page.
47-Day Readiness Kit
Know where your automation stands. 82-point scored audit, exec briefing deck, CLM vendor matrix, and DCV migration plan.
PCI DSS 4.0 Audit Prep Kit
Survive the assessment. Evidence workbook, crypto inventory, QSA interview prep, 30-day plan.
Compliance-in-a-Box
The governance documentation auditors ask for next: CP/CPS template, key ceremony script, and naming convention guide.
Common Questions
Building the full governance stack?
The response plan slots into the documentation set auditors ask for next. Compliance-in-a-Box ($499) covers the CP/CPS template, key ceremony script, and naming convention guide.