C
CertPilot
47-day SSL certificates land soon — every renewal date matters earlier

Track the digital assets your team cannot afford to forget.

Monitor domain health, renewal risk, SaaS tools, hosting, licenses, and client-ready proof reports from one CertPilot dashboard.

Browsers will start enforcing 47-day SSL certificate lifetimes from March 2029. The change is on a fixed schedule — every renewal date matters earlier.
Start free 14-day trialRun a free 10-domain audit →
14 days free
No credit card
Cancel anytime

Overview

Finch Studio · May 2026

Today’s Briefing

4 items need attention across 3 clients.

4 issues

SSL expiring

3

Next: 12 days

Renewals due

2

Due in 30 days

DNS changes

1

Verify with client

Healthy

43

All clear

Priority actions

client-site.io

SSL expires in 12 days — renewal overdue.

brandagency.com

MX record changed — verify with client.

Monthly Proof Report · May 2026

Ready

Monitored

47

domains

Findings

4

need action

Healthy

43

all clear

Risk patterns

Three things you cannot afford to miss this quarter.

Every agency that runs client domains has lived through at least one of these. Most have lived through all three.

Domain risk

A domain expires on your watch.

The site goes dark on a Saturday morning. The client finds out before you do.

CertPilot flags domain expiry at 60, 30, and 14 days — before it becomes an incident.

Renewal risk

A hosting plan lapses without anyone noticing.

A retired card, an unread invoice, an inbox no one watches — then staging or production is gone.

The Renewal Ledger tracks every asset with a due date, an owner, and a billing contact.

Retainer risk

A client asks what you actually did this month.

The work is real: alerts caught, renewals coordinated, DNS changes verified. Without a paper trail, the retainer feels expensive.

The Monthly Proof Report turns invisible maintenance into documented deliverables.

What CertPilot does

One operational layer for every recurring asset you carry.

Built for agencies, MSPs, and ops teams that own a portfolio of client domains, renewals, and recurring tools — not a single internal stack.

01

Domain Health Monitoring

  • SSL / TLS certificate expiry and validity
  • Domain registration expiry via public RDAP
  • DNS records: A, AAAA, MX, NS, TXT, CAA
  • DNS change detection between checks
02

Renewal Ledger

  • SaaS tools, hosting, plugins, licenses, contracts
  • Owners, renewal dates, billing contacts
  • Per-client grouping and visibility flags
  • Overdue, upcoming, and incomplete records
03

Smart Alerts

  • Overdue and upcoming renewal warnings
  • DNS change detection alerts
  • Missing renewal date notifications
  • Daily digest email — one summary per check run
04

Monthly Proof Reports

  • Executive summary in plain language
  • Domain Health and Renewal Risk sections
  • Recommended actions list
  • Client-ready PDF with agency branding

Monthly Proof Reports

Send proof, not screenshots.

Every month, turn domain checks, renewal risks, DNS changes, and recommended actions into a client-ready PDF. Branded with your agency and written in plain language.

  • Executive summaryPlain-English overview of domain and renewal health — what is fine and what needs attention.
  • Domain HealthSSL expiry, domain registration status, DNS record changes, and per-client domain status.
  • Renewal RiskOverdue, upcoming, and incomplete renewal records across hosting, SaaS, licenses, and contracts.
  • Recommended actionsA numbered list of what needs review — something you can walk clients through or act on directly.
Download sample report

CertPilot

Monthly Proof Report

May 2026

Sample Agency

Executive Summary

2 items require attention. 7 domains are healthy. Renew SSL on example.net before 14 May.

Monitored

9

domains

Findings

2

need action

Healthy

7

all clear

Domain Health

Client Alpha — 3 domains

example.comSSL 62dHealthy
example.netSSL 16dAction
example.orgSSL 91dReview

Recommended actions

1.

Renew SSL certificate for example.net (16 days remaining)

Action
2.

Confirm MX record change on example.org was authorised

Review

Generated by CertPilot · Sample Agency · May 2026

The SSL shortening timeline

Certificate lifetimes are shrinking. Renewal work is multiplying.

CA/Browser Forum has approved a phased reduction in maximum SSL certificate lifetimes. The changes are confirmed and on a fixed schedule.

01

Until March 14, 2026

398 days

Current maximum SSL certificate lifetime

02

March 15, 2026

200 days

Renewals double — 2× the tracking work per domain

03

March 15, 2027

100 days

Renewals double again — 4× the original volume

04

March 15, 2029

47 days

Final phase — 8× renewal events. Manual tracking breaks.

Source: CA/Browser Forum Ballot SC-081. Dates are confirmed minimums; browsers may enforce stricter limits earlier.

Renewal work calculator

How much renewal work does your agency face?

Drag the slider to see how shorter certificate lifetimes multiply manual tracking effort for your client portfolio.

50
PeriodRenewals / yearManual hours / year
Today (398-day certs)508.3 hrs
From March 2026 (200-day)10016.7 hrs
From March 2027 (100-day)20033.3 hrs
From March 2029 (47-day)40066.7 hrs

Estimate assumes 10 minutes per renewal event for manual tracking (checking expiry, coordinating with clients, updating records).

Renewal Ledger

For the assets your team cannot afford to forget.

Manually track SaaS tools, hosting plans, plugins, licenses, and contracts — with owners, renewal dates, billing contacts, and risk flags — before something lapses unnoticed.

  • SaaS tools and subscriptions
  • Hosting and domain-related services
  • Plugin, theme, and license renewals
  • Contracts and vendor renewals
  • Billing contacts and invoice emails
  • Per-seat plans, cost notes, and billing visibility
Start tracking renewals

CertPilot

Renewal Ledger

1 overdue

Cloudflare

Pro plan

Overdue

No owner

Adobe CC

License renewal

Due in 14 days

Jane D.

WP Engine

Hosting — Client Alpha

Due in 42 days

Tom R.

Renewal alerts sent daily. Proof reports generated on demand.

Free tools for agency domain operations

Check SSL expiry, renewal readiness, DNS health, and client-domain risk — no login needed.

See all tools →

Watchtower

SSL expiry for up to 25 domains + calendar feed.

Open Watchtower

47-Day Pre-Flight

Check renewal readiness before shorter cycles hit.

Run Pre-Flight

Free Agency Audit

10-domain SSL, DNS, and domain expiry audit.

Run free audit

Single Domain Check

SSL, DNS, and domain expiry for one domain.

Check one domain

Inbox Pulse

DMARC, SPF, MX, MTA-STS, TLS-RPT, and BIMI checks.

Open Inbox Pulse

What CertPilot monitors

Public checks, no credentials required.

CertPilot reads the same public data any browser would see — no website login, registrar access, or DNS provider API keys needed.

SSL certificate expiry

Tracks the exact expiry date and validity of each domain's TLS certificate. Alerts fire at 47-day, 30-day, and 14-day thresholds — matching the new browser enforcement timeline.

Domain registration expiry

Queries public RDAP endpoints for each domain's registration expiry date. Flags renewals 60, 30, and 14 days before they lapse.

DNS record changes

Checks A, AAAA, MX, NS, TXT, and CAA records on every run. Additions, removals, or value changes are compared against the previous snapshot, with a safe guard for older CAA-free snapshots.

DNS drift detection

When DNS records change between checks, CertPilot flags the drift immediately. Useful for catching unauthorised changes, CDN misconfigurations, or accidental deletions.

Client-grouped daily alerts

Alerts are grouped by client so you see issues in context, not as a noisy list of domains. One email digest per check run, not per domain.

Renewal assets and due dates

Track manually entered SaaS tools, hosting plans, licenses, plugins, contracts, payment labels, owners, and renewal dates. CertPilot flags overdue, upcoming, and incomplete records for review.

How CertPilot checks domains

Public data only. No login access needed.

  • Reads public SSL/TLS certificate data over HTTPS
  • Queries public RDAP endpoints for domain registration data
  • Looks up public DNS records (A, AAAA, MX, NS, TXT, CAA)
  • Does not require website login, registrar access, or DNS provider API keys
  • Does not monitor uptime, page speed, or perform vulnerability scanning

Read the methodology →

Operational evidence

Evidence for web-facing assets, not just monitoring alerts

CertPilot helps agencies, MSPs, and IT teams keep recurring evidence around SSL certificates, DNS records, domain expiry, renewal risks, email authentication, and public trust signals.

For teams preparing internal cybersecurity governance or NIS2-related documentation, these records can support operational evidence workflows — without replacing legal advice, security audits, certification, or compliance determination.

For Romanian organizations preparing under GEO 155/2024, NIS2 Pilot can help organize broader internal preparation before discussions with consultants, legal advisors, or cybersecurity specialists.

Run Free Agency Audit →Read the NIS2 evidence guide →

How CertPilot compares

Purpose-built for agencies. Not repurposed infrastructure tools.

FeatureCertPilotTrackSSLOh DearSpreadsheet
SSL certificate monitoring
Domain expiry tracking
DNS / MX / NS change alerts
Client workspaces
Branded PDF reports
Per-agency pricing
47-day renewal readiness
Renewal Ledger (SaaS, licenses, contracts)
Renewal risk alerts
Monthly proof reports
IncludedPartial / limitedNot available

UptimeRobot monitors whether a site responds — not whether its certificate, DNS, or domain registration is healthy. Oh Dear and TrackSSL cover SSL monitoring but are built for general use, not agency client-management workflows. CertPilot is the only tool in this comparison that combines SSL, DNS drift, and domain expiry monitoring with client grouping and a branded PDF report agencies can send to clients.

Pricing

Flat per-agency pricing. No per-domain surprises.

Start free. Upgrade when your agency is ready.

Limited offer · First 20 agencies only

Founder Pilot — €49/month

For the first agencies onboarded manually.

Start with the free trial. If CertPilot is useful, reply to the founder email to activate the Founder Pilot.

Ask about Founder Pilot

Starter

€99/month

Best for smaller agencies starting with domain health and basic renewal tracking.

Up to 100 domains
  • SSL, DNS, and domain expiry monitoring
  • Renewal Ledger — manually entered renewal records
  • Domain Health Report
  • Renewal Risk Report
  • Daily digest email
Start free trial
Most popular

Agency

€199/month

Best for agencies managing client care plans and monthly deliverables.

Up to 250 domains
  • Everything in Starter
  • Client grouping across domains and renewals
  • Renewal digest alerts
  • Monthly Proof Report
  • Agency logo and brand color on all reports
Start free trial

Studio

€299/month

Best for larger agencies managing multi-client portfolios.

Up to 500 domains
  • Everything in Agency
  • Higher domain and renewal capacity
  • Monthly Proof Report
  • Priority support
Start free trial

Start with a 14-day free trial. Founder Pilot activation is handled manually during early access.

FAQ

Common questions.

Why does 47-day SSL matter to my agency?

Starting March 2029, SSL certificates will be valid for only 47 days, down from the current 398 days. That means renewals happen 8× more often per domain. For an agency managing 50 client sites, that's 400 renewal events per year. Without automation, manual tracking becomes a full-time job.

What if we already use Oh Dear?

Oh Dear is strong for developer-oriented site monitoring — uptime, broken links, and response times. CertPilot covers a different layer: client-domain operations for agencies. That means bulk domain import, SSL and domain expiry tracking, DNS change alerts, client grouping, and a branded PDF report you can send to clients monthly. If you need uptime monitoring, Oh Dear does that well. If you need client-domain oversight and a monthly client deliverable, CertPilot is the purpose-built tool for that.

What if we already use TrackSSL?

TrackSSL is useful for SSL certificate tracking. CertPilot covers that and adds domain registration expiry monitoring, DNS record change alerts, client grouping across your agency account, a daily digest email, and a branded PDF report you can include in client retainers. If you manage more than a handful of clients and want a structured monthly report to send them, CertPilot is built for that workflow.

Is CertPilot an uptime monitor?

No. CertPilot does not ping your sites for uptime or response time. It focuses on SSL certificate expiry, domain expiry, and DNS record changes (MX, NS, A). If you need uptime monitoring, tools like Better Uptime or UptimeRobot handle that job.

Is CertPilot an IT asset management platform?

No. CertPilot is focused on agency client-domain operations and renewal tracking. Renewal Ledger helps you track manually entered hosting, SaaS, license, contract, plugin, and domain-related renewal records. It does not discover subscriptions automatically, connect to bank accounts, parse invoices, or replace a full IT asset management system.

Is CertPilot secure enough for client domains?

CertPilot reads public TLS handshake data, public DNS records, and RDAP — the public domain registration protocol. It does not require client login credentials, registrar account access, DNS provider API keys, or website admin access. It does not perform vulnerability scanning, page speed testing, or content inspection. You add a domain name; CertPilot reads the same public data any browser would see.

Can agencies send branded reports to clients?

Yes. Every plan includes PDF report generation. Agency and Studio plans support your agency logo and brand color so you can include the report in client retainer deliverables or monthly check-ins.

Will clients actually care about these reports?

Clients may not care about certificate chain details or DNS TTLs. But they do care that their agency is actively protecting their website and flagging issues before they cause problems. The report turns invisible maintenance — SSL renewals, DNS checks, domain registration status — into visible, documented proof of ongoing work. For retainer clients, that documentation matters.

Is CertPilot for developers or account managers?

Both can use it, but it is designed for agency operations: founders, technical leads, and account managers who need a clear view of client domain health without a developer-heavy observability dashboard. The daily digest and PDF report are the primary outputs — not log streams or raw metrics. If your account manager needs to know which client sites need attention this week, CertPilot gives them that without requiring technical expertise.

Why not just use a spreadsheet?

A spreadsheet works when you manage a handful of domains and certificates last 398 days. Once you have 30–300 client sites, multiple registrars, DNS changes you did not make, and certificate lifetimes dropping to 47 days, a spreadsheet falls behind. CertPilot replaces that manual tracking with daily automated checks, a single alert digest, and a monthly report you can send to clients without extra work.

Why is CertPilot priced per agency, not per domain?

Agency tools should have predictable pricing. You should not pay more simply because a client adds a subdomain. CertPilot is priced by agency size — how many domains and clients you manage — so your cost stays flat as you grow within a plan tier.

I’m Alex, the founder. I built CertPilot because agencies should not lose clients over expired certificates, domain renewals, or unnoticed DNS changes. Every early customer email goes to me personally.

alex@certpilot.app

Start free. No credit card required.

Track the digital assets your team cannot afford to forget.

Start with domains and renewals. Monitor SSL, DNS, and domain expiry. Track renewal dates with owners and due dates. Turn the monitoring work into client-ready Monthly Proof Reports — before something lapses unnoticed.

Start free trialRun free audit

Questions? Email hello@certpilot.app