C
CertPilot
All resources
47-Day SSL

How the 47-Day SSL Mandate Affects Agency Care Plans and Retainer Pricing

A 47 day SSL agency care plan needs tighter renewal operations, clearer reporting, and pricing that reflects increased certificate workload.

Updated 3 May 2026

See exactly where your client domains stand.

Run a free audit on up to 10 domains — SSL expiry, domain expiry, and DNS health in one report. No signup needed.

Run Pre-FlightRun Free Agency Audit

Check renewal readiness before shorter SSL lifetimes bite

Run Pre-Flight to review SSL renewal readiness for a domain before certificate windows get tighter.

Run Pre-FlightCheck one domain

A 47 day SSL agency care plan needs a different operating rhythm than the old annual-certificate world. Shorter certificate lifetimes mean agencies will face more frequent renewal events, more client questions, more reporting pressure, and more need to prove that SSL and domain checks are part of the retainer.

The practical answer is not to panic or overpromise. Agencies should add SSL renewal readiness, domain control checks, DNS validation risk, and client-ready reporting into care plan operations. They should also review retainer pricing when certificate work becomes more frequent and less forgiving.

Use Pre-Flight when a specific domain needs renewal-readiness review. Use the free 10-domain agency audit when you want a broader portfolio snapshot. You can also compare tools on /tools. For the data sources and limitations behind CertPilot's public certificate, DNS, and domain checks, review the CertPilot methodology.

Why the 47 day SSL change matters for care plans

Longer certificate lifetimes gave agencies more slack. A certificate might renew once a year, and even a clumsy process could appear stable if nothing changed near the renewal date.

Shorter lifetimes reduce that margin. If the agency manages many client websites, renewal events become a routine operations workload instead of occasional housekeeping.

That affects:

  • Technical teams that handle DNS validation and renewal failures.
  • Account managers who explain certificate warnings to clients.
  • Care plan reports that need to show renewal status.
  • Retainer pricing that must reflect recurring operational work.
  • Onboarding processes that must confirm domain and DNS control early.

This is why the 47-day SSL shift belongs in agency care plan design, not just in a developer checklist.

For the broader timeline, read the 47-day SSL certificates agency guide, the 200-day SSL certificate timeline, and the SSL monitoring Watchtower guide.

47 day SSL agency care plan operating model

An agency does not need to rebuild every care plan around certificates. It needs to decide which SSL tasks are included, which tasks are escalation-only, and which tasks require a separate project.

| Work item | Include in care plan? | Notes | |---|---|---| | SSL expiry visibility | Yes | Basic operational reporting | | Renewal runway checks | Yes | Especially for production domains | | DNS validation review | Usually | Needed when DNS-01 or CNAME validation is involved | | CAA review | Usually | Useful before renewal failures | | Manual certificate replacement | Depends | May be out of scope for low-tier plans | | Hosting migration cleanup | Separate project | More than monitoring | | Emergency registrar recovery | Separate escalation | Depends on access and authorization |

This distinction matters in pricing conversations. If the client pays for monitoring and reporting, emergency recovery from an inaccessible registrar account may not be included. The agency should define that before a certificate warning appears in the browser.

What changes inside the agency

Renewal workload becomes recurring

When certificates renew more often, every weak spot in the process appears more often too.

Common weak spots:

  • Client-controlled DNS that the agency cannot edit quickly.
  • CAA records that block the certificate authority.
  • Broken ACME validation records.
  • Hosting platforms with unclear certificate automation.
  • Redirect domains that nobody owns operationally.
  • Expired or unreachable registrar contacts.

None of these are new problems. Shorter lifetimes make them more frequent.

Client expectations change

Clients may not know why certificate rules changed. They will still expect the agency to keep secure browser connections working.

Care plan communication should be simple:

"SSL certificates are moving toward shorter lifetimes, which means renewal readiness needs more frequent operational checks. We are adding SSL and domain checks to the care plan report so issues can be handled before they affect visitors."

That statement is calm, concrete, and does not make guarantees the agency cannot control.

Reporting becomes part of the service

If SSL renewals happen more often, clients need evidence that the agency is watching them. A monthly care plan report should include:

| Report item | Why it matters | |---|---| | Certificate expiry | Shows renewal runway | | Renewal status | Shows whether automation appears healthy | | DNS validation risk | Flags records that could block renewal | | CAA status | Flags certificate authority restrictions | | Domain ownership notes | Shows whether the agency can act quickly | | Recommended action | Assigns next step before the renewal window |

For a recurring report structure, see agency care plan reporting after this batch is live, or use the monthly client domain health report.

47 day SSL agency care plan checklist

Use this checklist for each care plan client:

  • Identify every production hostname that needs SSL.
  • Identify redirect, staging, and campaign domains that still matter.
  • Confirm who controls DNS for each domain.
  • Confirm who controls the hosting or certificate automation.
  • Check certificate expiry dates.
  • Check whether the issuing path is known.
  • Review CAA records for possible issuance restrictions.
  • Review DNS records used for validation.
  • Confirm domain registration expiry is not close.
  • Document the renewal owner.
  • Add SSL status to the monthly client report.
  • Escalate domains where the agency cannot renew without client access.

The checklist is intentionally operational. Agencies do not need a dramatic new process. They need a repeatable one.

Pricing implications for retainers

Shorter certificate lifetimes can affect pricing because the agency is taking on more frequent review, triage, documentation, and client communication.

That does not mean every care plan needs a price increase immediately. It means agencies should understand whether the existing retainer includes the work.

When current pricing may be enough

Current pricing may be enough when:

  • The agency controls hosting and DNS.
  • Certificates are automated reliably.
  • The client has only one or two domains.
  • Reporting is lightweight.
  • The agency already monitors SSL and domain expiry.

When pricing may need review

Pricing deserves review when:

  • The agency manages many domains per client.
  • DNS is client-owned or split across vendors.
  • The client has multiple brands or campaign domains.
  • SSL issues create support tickets.
  • The client expects monthly reporting.
  • The agency needs manual renewal checks.

Use this pricing conversation carefully. The client is not paying for "SSL certificates" alone. They are paying for operational oversight, coordination, documentation, and faster escalation.

How to scope the retainer conversation

When discussing pricing, anchor the conversation in responsibilities rather than fear.

Good scope language:

"Your care plan includes SSL expiry visibility, renewal-readiness checks, and escalation when public signals show risk. If renewal requires registrar access, DNS changes, or hosting-provider support outside our managed environment, we will coordinate that work as a support task or project depending on complexity."

That wording helps the client understand what the retainer covers. It also protects the agency from absorbing unlimited work caused by vendor sprawl.

Questions to answer before changing pricing:

  • How many hostnames are in scope?
  • Does the agency control DNS?
  • Does the agency control hosting?
  • Are certificates automated?
  • Are there wildcard or multi-domain certificates?
  • Are there client-owned registrars?
  • Is monthly reporting included?
  • What response time is promised for certificate warnings?

The answers reveal whether the current retainer is realistic.

Care plan service tiers

Agencies can map SSL and domain operations into care plan tiers.

| Tier | Suitable for | SSL and domain operations | |---|---|---| | Basic | Single-site clients | Monthly SSL and domain expiry check | | Standard | Active business websites | SSL, domain expiry, DNS drift review, report | | Managed | Multi-domain clients | Portfolio checks, renewal readiness, escalation workflow | | Advanced | Complex DNS and email | Adds email DNS review and migration support |

Do not label this as security compliance. Keep it grounded in maintenance operations.

How to explain the change to clients

Use plain language:

"Browser-trusted SSL certificates are moving toward shorter lifetimes. That means renewal checks need to happen more often. We are updating our care plan operations so your website certificates, domain expiry, and DNS records are reviewed regularly and reported clearly."

Then explain what is included:

  • SSL expiry and renewal runway.
  • Domain expiry review.
  • DNS records that could affect renewal.
  • Issues fixed.
  • Open actions.

Avoid claiming that the agency can prevent every browser warning. The agency can reduce risk, catch issues earlier, and create a clearer escalation path.

Where Pre-Flight fits

Pre-Flight is useful when a specific domain needs a renewal-readiness check. It helps agencies look at the public signals that can affect renewal planning before the renewal window gets tight.

Use the free agency audit when you want a broader sample across client domains. Use /tools when you need to choose between Pre-Flight, Watchtower, Inbox Pulse, a single-domain check, or the agency audit.

For workload planning, read the SSL certificate renewal workload calculator.

Use Watchtower when the agency needs a clearer SSL expiry calendar view. Use Pre-Flight when a domain needs renewal-readiness review before action.

Related resources

Frequently Asked Questions

What is a 47 day SSL agency care plan?

It is a care plan that treats shorter SSL lifetimes as a recurring operations issue, with renewal readiness, DNS checks, reporting, and escalation built into the retainer.

Should agencies charge more because of shorter SSL lifetimes?

Some should. The decision depends on domain count, access complexity, reporting expectations, and how much manual renewal work the agency owns.

Does CertPilot replace uptime monitoring?

No. CertPilot supports domain operations and reporting around SSL, DNS, domain expiry, and related risks. Uptime monitoring is a separate workflow.

When should agencies run Pre-Flight?

Run Pre-Flight before renewal windows, before migrations, during onboarding, or whenever DNS control and certificate automation are unclear.

How should this appear in a client report?

Show SSL status, renewal runway, DNS or CAA risks, ownership, and recommended action. Keep the wording practical and client-ready.

Monitor every client domain from one dashboard.

CertPilot checks SSL expiry, DNS records, and domain registration daily — then sends one alert when action is needed. 14-day free trial, no card required.

Run Pre-FlightRun Free Agency Audit