47-Day SSL Readiness: The Hub for Lean IT Teams, MSPs, and Agencies

47-day SSL readiness is the operating posture you need before public certificate lifetimes drop from 200 days to 100 days to 47 days. Each step shortens the window where a missed renewal, a wrong CAA record, a closed port, or an unowned DNS zone can take a public-facing site offline. The work is not "remind me sooner" — it is making renewals boring across every domain you are responsible for.

This hub is for lean IT teams, MSPs, and agencies running many public-facing domains. It groups the existing CertPilot resources on 47-day SSL, ACME automation, CAA, HTTP-01 vs DNS-01, wildcard certificates, certificate authority fallback, and SSL monitoring into one practical map. Use 47-Day Renewal Pre-Flight to spot domains that are not ready, Watchtower for ongoing SSL visibility and calendar reminders, and the free 10-domain audit when SSL needs to be reviewed alongside DNS, domain expiry, CAA, and email-authentication signals. CertPilot explains its public certificate, DNS, and domain checks in the CertPilot methodology.

CertPilot monitors public-facing SSL, DNS, and domain renewal signals. It is not a vulnerability scanner, malware scanner, or compliance certification. Treat this hub as operations guidance, not a legal or security audit.

Who this hub is for

This hub assumes you are running renewals across more than one site and more than one stakeholder. That means you are likely:

• A lean internal IT team responsible for the company's primary site, marketing subdomains, vendor microsites, and supplier-facing portals.
• An MSP managing public-facing domains for many business clients.
• A web agency responsible for renewals on hosting plans, client-owned domains, and platform-managed sites.

If you only manage one domain, you can usually rely on your platform's built-in renewal. If you manage many, you need a portfolio view, a documented owner per domain, and a way to spot the renewal that is going to fail two weeks before it does.

What 47-day SSL certificates change

The CA/Browser Forum timeline moves public TLS certificate maximum lifetimes from 398 days down through 200, 100, and finally 47 days by March 2029. The 200-day SSL certificate timeline walks through the calendar and what each step means for renewal frequency.

The practical changes for portfolio operators are:

• Renewal cycles get tighter. A weak automation pipeline that survived once a year now has nine or more chances to fail per domain per year.
• Manual renewal becomes unworkable above a handful of domains. The SSL certificate renewal workload calculator gives a rough hours-per-month estimate for your portfolio.
• The cost of an unowned domain rises. A site nobody is sure how to renew becomes an incident every few weeks instead of once a year.
• DNS and CAA changes need to be intentional. Any CAA edit that does not include the active issuer becomes a recurring outage trigger, not a one-time near miss.

The agency-angle background for these changes lives in 47-day SSL certificates: an agency guide and the operating-model deep-dive in 47-day SSL readiness for agencies.

Why renewals fail

Most failed renewals are not certificate problems. They are configuration problems that only show up at renewal time.

The recurring patterns are:

• ACME automation cannot reach the domain. See why ACME renewal fails on client sites and the ACME renewal incident runbook.
• HTTP-01 validation cannot complete because port 80 is closed or redirected before the well-known path. See port 80 and ACME HTTP-01 renewal.
• CAA records exclude the active issuer. See CAA records and the 47-day SSL shift and the renewal-focused CAA record and client SSL renewals.
• The domain depends on a wildcard certificate but the DNS-01 automation is owned by someone outside the team. See wildcard certificate renewal risks.
• A single CA outage, like an unplanned Let's Encrypt incident, takes a whole bucket of domains down at the same time. See Let's Encrypt incident response.

Use 47-Day Pre-Flight when you want a per-domain readiness check that surfaces these failure modes before the renewal window opens.

CAA risk

CAA records say which certificate authorities are allowed to issue for a domain. They are usually invisible until something tries to renew. Then they decide the outcome.

Three things to keep correct across the portfolio:

• Does the domain publish CAA records at all? Missing CAA is permissive but invisible — readers do not know which CA you intended to allow.
• Do the records include the CA your automation actually uses? See CAA record blocks Let's Encrypt and the Let's Encrypt CAA troubleshooting guide.
• Do they include issuewild entries where wildcard certificates are involved? Without issuewild, the wildcard CA may be refused even if the issue record is correct.

For the operator-level introduction, see CAA records and the 47-day SSL shift.

HTTP-01 vs DNS-01

Validation method matters because it changes who needs access at renewal time.

• HTTP-01 needs port 80 reachable and the /.well-known/acme-challenge/ path served from the canonical host. It fails quietly behind aggressive HTTPS redirects, behind firewalls that block port 80, and behind hosts that intercept the well-known path.
• DNS-01 needs API or manual access to the DNS zone to write a TXT record. It scales to wildcard certificates and to platforms where you cannot serve port 80, but it puts more weight on DNS owner clarity.

HTTP-01 vs DNS-01 for client websites walks through the trade-offs. Port 80 and ACME HTTP-01 renewal covers the most common HTTP-01 failure. If wildcard certificates are in the mix, also read wildcard certificate renewal risks.

Wildcard certificate risks

Wildcard certificates feel convenient because one certificate covers *.example.com. They concentrate three operational risks:

• Renewal forces DNS-01 validation, which forces DNS-zone access at renewal time.
• A misconfigured CAA issuewild record blocks the renewal even when normal issue records are correct.
• Loss of the wildcard takes down every subdomain at once instead of one site at a time.

Wildcard certificate renewal risks is the focused walk-through. The wider CertPilot methodology explains what is and is not visible to a public monitor.

Certificate authority fallback

A single-CA dependency is a portfolio risk. When the active CA has an incident, every domain that relies on it stops renewing at the same time.

SSL certificate authority fallback plan and Let's Encrypt incident response cover the practical fallback workflow: a documented secondary CA, CAA records that already permit it, and a triage runbook for switching during an incident. Communicating the result is its own task — the SSL renewal failure client communication template keeps the language calm and accurate.

Monitoring before renewal

The point of monitoring at 47-day cadence is not "tell me on the day the certificate expires." It is "tell me which renewals are likely to fail this cycle, while there is still time to fix them."

For ongoing visibility across many domains:

• SSL monitoring for web agencies covers what to monitor when one team owns many client SSL certificates.
• Track SSL expiry across client websites is the operator-level walkthrough for portfolio visibility.
• SSL monitoring with Watchtower shows the calendar-feed workflow most teams adopt first.
• SSL expiry calendar reminders covers how calendar feeds fit alongside an alert pipeline.
• Certificate Transparency for agencies explains how CT logs let you see certificates issued for your domains by any CA, including ones you did not authorize.

When you also need DNS and domain expiry signals in the same view, the free 10-domain audit is the fastest way to get one.

90 / 60 / 30 readiness checklist

A simple cadence for portfolios moving toward 47-day renewals:

• 90 days out from each shortening step. Inventory every public-facing domain you are responsible for. For each one, record the renewal owner, the active CA, the validation method (HTTP-01 or DNS-01), and the host. The domain operations guide is a good companion if domain ownership is unclear, and the renewal ledger hub is where the same renewal-owner record sits alongside hosting, SaaS, plugin, and contract renewals for the wider portfolio.
• 60 days out. Run 47-Day Pre-Flight across the portfolio. Resolve any domain marked Action needed or Review — usually a CAA gap, a closed port 80, a missing redirect, or a DNS-record gap.
• 30 days out. Verify each ACME automation actually ran a renewal in the last cycle. For domains using vendor automation, confirm the vendor renewed. For wildcard certificates, verify the DNS-01 automation still has zone access. Document the secondary CA path per SSL CA fallback plan.
• Every cycle. Keep Watchtower calendar reminders subscribed, and re-check exceptions weekly. Issues caught at this layer do not become 2 a.m. incidents.

Recommended reading cluster

The full set of supporting articles, grouped by topic:

47-day SSL background and timeline

• 47-day SSL certificates: an agency guide
• 47-day SSL readiness for agencies
• 47-day SSL agency care plan
• 200-day SSL certificate timeline
• SSL certificate renewal workload calculator

ACME and validation

• ACME readiness check
• Why ACME renewal fails on client sites
• ACME renewal incident runbook
• HTTP-01 vs DNS-01 for client websites
• Port 80 and ACME HTTP-01 renewal

CAA records

• CAA records and the 47-day SSL shift
• CAA record and client SSL renewals
• CAA record blocks Let's Encrypt
• Let's Encrypt CAA troubleshooting

Wildcards, transparency, and CA fallback

• Wildcard certificate renewal risks
• Certificate Transparency for agencies
• SSL certificate authority fallback plan
• Let's Encrypt incident response
• SSL renewal failure client communication template

Monitoring

• SSL monitoring for web agencies
• SSL monitoring with Watchtower
• Track SSL expiry across client websites
• SSL expiry calendar reminders

How CertPilot fits

CertPilot focuses on public-facing monitoring for SSL, DNS, and domain renewals across many domains. Three free tools cover the most common 47-day readiness questions:

• 47-Day Renewal Pre-Flight — per-domain readiness check for SSL expiry, DNS basics, CAA, port 80, and HTTPS redirect.
• Watchtower — paste up to 25 domains, see SSL expiry status, and subscribe to a calendar feed your team can keep open.
• Free 10-domain agency audit — SSL, domain expiry, and DNS health across up to 10 domains in one report.

CertPilot does not run vulnerability scans, malware scans, or accessibility audits. It does not certify compliance with any framework. The methodology page lists every data source and check.

Frequently Asked Questions

What does 47-day SSL readiness actually mean?

It means your domains can renew without manual intervention every time, even when lifetimes drop to 47 days. That requires working ACME automation (or vendor renewal), correct CAA records, a clear validation method per domain, an owner per domain, and portfolio-level visibility for exceptions.

When do public SSL lifetimes actually shorten?

The CA/Browser Forum timeline ratchets maximum public TLS lifetimes from 398 days down through 200, 100, and 47 days by March 2029. The 200-day SSL certificate timeline tracks the milestones. Some CAs and platforms apply shorter lifetimes earlier in practice.

Should we use HTTP-01 or DNS-01 validation?

It depends on the domain. HTTP-01 is simpler when port 80 is reachable and the host serves the canonical site. DNS-01 is required for wildcard certificates and is more reliable when the host cannot serve port 80. The deeper comparison lives in HTTP-01 vs DNS-01 for client websites.

Are CAA records required?

They are not required by every CA, but missing or wrong CAA records become the most common renewal failure once renewals happen more often. The practical default is to publish CAA records that include every CA your automation might use, including any wildcard issuer. See CAA records and the 47-day SSL shift.

What is the highest-impact thing to do this month?

Run 47-Day Pre-Flight across every public-facing domain you are responsible for, then resolve the Action needed and Review rows. That single pass closes the most common failure modes — CAA mismatches, closed port 80, missing redirect, and DNS gaps — before they bite.

Does CertPilot renew certificates?

No. CertPilot monitors public SSL, DNS, and domain renewal signals. The certificate issuer is whatever CA your host or automation already uses. Renewals are still issued and installed by the host, ACME client, or vendor that owned them before CertPilot was added.

Is this hub a compliance or security audit?

No. It is operations guidance for renewal readiness. CertPilot does not certify compliance with NIS2, ISO, SOC 2, or any other framework, and it does not run vulnerability scans. Treat the recommendations here as operational hygiene, not a legal or security audit.