47-Day SSL Certificates: The Complete Agency Guide

What the 47-day SSL change is — and when it hits

Starting March 2029, SSL/TLS certificates will carry a maximum validity of 47 days, down from the 398-day limit that has been standard since 2020. The change was approved by the CA/Browser Forum in Ballot SC-081 and follows a confirmed, phased reduction schedule:

| Effective date | Maximum certificate lifetime | Renewal frequency (estimate) | |---|---|---| | Now (until Mar 2026) | 398 days | ~1× per year | | March 2026 | 200 days | ~2× per year | | March 2027 | 100 days | ~4× per year | | March 2029 | 47 days | ~8× per year |

Each phase is a binding commitment from the major browser vendors — Apple, Google, Mozilla, and Microsoft — whose root certificate programmes enforce these limits. Certificate Authorities that issue certificates exceeding the maximum will lose their trusted status.

This is not a proposal or a draft standard. The timeline is ratified, and the March 2026 phase is fewer than twelve months away from the time of writing.

Why agencies are more exposed than individual site owners

A business owner renewing one SSL certificate once a year has an administrative nuisance. A web agency managing 60 client sites has an operational scaling problem.

At 398-day certificates: 60 sites × 1 renewal = 60 renewals per year

At 47-day certificates: 60 sites × ~8 renewals = ~480 renewals per year

That is 480 separate events — each requiring a certificate to be requested, validated, and deployed — every year. For an agency with 150 clients, the number approaches 1,200. Without a systematic approach, SSL expiry becomes one of the highest-risk operational tasks your team manages, ahead of most of the work you are actually paid to do.

The renewal frequency is only part of the problem. Short-lived certificates narrow the window between "a renewal failed" and "the client's site is showing a browser warning." At 398 days, a missed renewal might go unnoticed for weeks before anything breaks. At 47 days, the gap between failure and visible outage collapses to days.

The failure modes auto-renewal does not prevent

The instinctive response to "we need 8× more renewals" is "we will automate everything." That is the right instinct. But automation is not a fire-and-forget solution — it is a system, and systems fail.

DNS validation tokens that expire silently

Let's Encrypt and most other ACME-based certificate issuers validate domain ownership by checking a DNS TXT record (DNS-01 challenge) or a specific URL path (HTTP-01 challenge). For the renewal to succeed, both the DNS configuration and the server path must be accessible at the time of the renewal attempt.

DNS-01 validation tokens have a short window. If your client's DNS is managed through a registrar API that rotates API keys, the renewal bot loses write access — silently. The next renewal attempt fails, no one is notified, and 47 days later the site is down.

Hosting plan expirations that disable the renewal hook

Many managed WordPress and cPanel hosts run Let's Encrypt renewals through a platform-level cron job. When a client's hosting account lapses — even temporarily, due to a late payment — the cron job stops running. The SSL certificate that was renewing automatically is now orphaned. At 398 days, you had a year to notice. At 47 days, you have six weeks.

Domain transfers that reset SSL configuration

When a client migrates to a new host or registrar, SSL auto-renewal configuration often does not transfer. The new host may auto-provision a new certificate — or it may not. DNS validation settings tied to the previous infrastructure stop working. The certificate that was auto-renewing for two years is now on a countdown that nobody is watching.

Email validation on abandoned addresses

DV (domain-validated) certificates that use email-based validation depend on specific addresses: admin@domain.com, webmaster@domain.com, or the registrant contact from WHOIS. If those addresses are unmaintained — common on older client sites — validation fails.

What a 47-day-ready agency workflow looks like

Step 1: Audit every domain in your portfolio before March 2026

You need a complete picture of which clients are on auto-renewing certificates, which are on manual workflows, and which are on certificates you did not provision and therefore cannot directly control. Run a full SSL audit across your client portfolio. CertPilot's free 10-domain audit checks SSL expiry, domain registration status, and DNS health in a single pass.

For each domain, record:

• Certificate issuer and expiry date
• Whether auto-renewal is configured — and through which mechanism
• Who controls the DNS: you, the client, or a third-party registrar
• Whether the client has an active hosting contract

Step 2: Standardise on ACME with stable DNS APIs

Let's Encrypt with DNS-01 validation via a registrar API is the most resilient auto-renewal setup for agency portfolios. Unlike HTTP-01 validation, DNS-01 does not require the web server to be running at renewal time — useful for maintenance windows and server migrations.

Choose a small set of registrars with reliable, well-documented APIs (Cloudflare DNS and Namecheap are commonly used) and consolidate client domains toward those registrars over time. Fragmentation — clients spread across eight different registrars, four of which have unreliable APIs — is the primary source of silent renewal failures at scale.

Step 3: Add daily monitoring across your entire portfolio

Once auto-renewal is configured, monitoring is the safety net that catches failures before they cause downtime. Daily SSL checks surfacing any certificate within a configurable warning window — typically 14 to 20 days — give you enough time to investigate and remediate without scrambling.

At 47-day certificate lifetimes, a certificate that enters the warning window is weeks, not months, from expiry. Monitoring needs to be daily, not weekly. See our guide on tracking SSL expiry across client websites for how to structure this operationally.

Step 4: Include SSL health in monthly client reports

If you manage client websites on retainer, SSL and domain health are natural components of a monthly status report. A PDF showing certificate expiry dates, DNS health, and domain registration status is concrete deliverable that demonstrates ongoing oversight — and gives you written documentation that you flagged issues the client chose not to act on.

For a ready-to-use format, see the client website health report template.

Misconceptions agencies commonly hold

"My hosting provider handles SSL automatically"

Most do — until the renewal fails silently. Hosting-level auto-renewal is the easiest configuration to set up and the hardest to monitor externally. Your hosting dashboard may show "SSL active" even while the renewal workflow has been broken for weeks, because the current certificate has not yet expired.

Independent monitoring — checking the certificate directly from outside the hosting infrastructure — is the only way to verify that auto-renewal is actually working.

"Let's Encrypt will handle everything across all my clients"

Let's Encrypt is excellent on single-server infrastructure with stable DNS. For agencies, the edge cases multiply: clients on shared hosting that does not support Let's Encrypt, clients whose DNS is locked at a registrar without an API, clients on CDNs where certificate management is handled at the CDN layer with different expiry timelines.

No single renewal mechanism covers every case. Monitoring covers all of them, regardless of the mechanism.

"This only applies to certificates issued after 2029"

Every certificate issued on or after the effective date of each phase boundary will be subject to the new maximum validity. Your certificates issued before the deadline are not grandfathered — when they expire and are renewed, the new certificate will have a 47-day maximum. The transition applies to renewal events, not to the age of the domain.

How CertPilot helps agencies manage the transition

CertPilot runs daily checks on SSL certificates, domain registration, and DNS records across every domain in your account, then sends one alert when something requires attention. Key features for the 47-day environment:

• Daily SSL expiry checks across every domain, with configurable warning windows
• DNS monitoring that catches record changes which can silently break auto-renewal
• Domain registration monitoring so expiries do not catch you off-guard
• Client grouping for managing large portfolios by client rather than domain by domain
• Branded PDF reports for including domain health in client deliverables

Start with a 14-day free trial — no credit card required. For an immediate view of your current portfolio, the free 10-domain audit requires no account.

External references

• CA/Browser Forum Ballot SC-081 — the formal ballot record
• Apple's announcement of short-lived certificate support — root programme requirements
• ACME protocol (RFC 8555) — the standard underlying Let's Encrypt and other ACME CAs

Related resources

• 47-Day Renewal Pre-Flight
• CertPilot Watchtower
• 200-day SSL certificate timeline
• How CertPilot checks domains

Frequently Asked Questions

What are 47-day SSL certificates?

47-day SSL certificates are public TLS certificates with a maximum lifetime of 47 days. They are part of the phased reduction from longer certificate lifetimes to shorter renewal cycles.

For agencies, this means SSL renewal becomes a frequent operational process across client domains, not an annual task.

Why do 47-day SSL certificates create more agency work?

The number of renewal events increases across every client website the agency manages. Even if most renewals are automated, the exceptions still need investigation, ownership checks, DNS review, and client communication.

This is where website care plans need clear SSL renewal workload coverage rather than vague promises that the host handles everything.

Does automation remove the need for SSL monitoring?

No. Automation handles the renewal attempt, while monitoring confirms the public result. A certificate can fail to renew because DNS changed, CAA records are restrictive, hosting billing lapsed, or validation paths no longer work.

Agencies should monitor the live certificate from outside the hosting platform so they know what visitors actually receive.

How should agencies prepare before the 100-day and 47-day phases?

Start by inventorying every client domain, hostname, SSL issuer, renewal owner, DNS provider, and registrar owner. Then add live SSL monitoring, DNS change review, and domain health reports to the normal agency operations cycle.

For inherited or recently migrated sites, run a renewal readiness review before the certificate enters a short warning window.