47-Day SSL Readiness for Agencies: ACME, CAA, DNS, and Renewal Workload

47-day SSL readiness means making sure client certificate renewals can happen reliably without manual panic: ACME automation works, CAA records allow the right certificate authority, DNS and HTTP validation paths are understood, ownership is clear, and the agency has a workflow for monitoring exceptions. The work is not just "check expiry dates more often." Shorter certificate lifetimes make weak renewal workflows show up faster.

For agencies, the practical goal is simple: know which client domains are ready, which domains depend on a person or vendor, and which renewals could fail because DNS, hosting, CAA, redirects, firewalls, or ownership are unclear. Use 47-Day Pre-Flight for a focused readiness check, Watchtower for SSL visibility and calendar workflow, and the free 10-domain agency audit when SSL needs to be reviewed alongside DNS, domain expiry, CAA, and email-authentication signals. CertPilot explains its public certificate, DNS, and domain checks in the CertPilot methodology.

Quick answer: what 47-day SSL readiness means

47-day SSL readiness is an operating model for shorter certificate renewal cycles. It asks whether the domain can renew without heroic manual intervention.

The core questions are:

• Is the current certificate valid and known?
• Does the agency know who owns the renewal path?
• Does ACME renewal work for the domain or platform?
• Does CAA permit the expected certificate authority?
• Is HTTP-01 or DNS-01 validation understood?
• Are DNS owners, hosting owners, and client contacts documented?
• Are renewal exceptions visible before the deadline?
• Can the agency explain the status in a client-ready report?

The support article 47-day SSL certificates for agencies covers why the industry shift matters. This pillar focuses on the operating model agencies can use to prepare client portfolios.

Who this guide is for

This guide is for agency owners, MSPs, support leads, web operations teams, and technical account managers who are responsible for client websites but do not always control the whole certificate chain.

It is especially relevant if your client portfolio includes:

• Managed WordPress hosts.
• Shopify, Webflow, Squarespace, or other hosted platforms.
• Cloudflare or CDN-managed DNS.
• Client-owned registrars.
• Custom VPS or server certificates.
• Wildcard certificates.
• DNS-01 validation.
• Multiple certificate authorities across clients.
• Domains where nobody is sure who owns DNS.

The smaller the team, the more important the workflow becomes. Shorter lifetimes reward boring, repeatable process.

Why shorter SSL lifetimes matter for agencies

When certificates live for a long time, weak renewal ownership can stay hidden. A client site can appear healthy for months even though nobody knows who controls DNS, whether ACME still works, or whether the platform can renew automatically. Shorter certificate lifetimes reduce that margin.

The agency impact is not only technical. It affects care-plan workload, client communication, and escalation timing. A missed renewal can become a visible incident, but the root cause is often operational: unclear owner, stale DNS, blocked validation, wrong CAA, expired platform connection, or a client-controlled registrar account.

The 200-day SSL timeline explains the broader transition. Agencies should treat shorter lifetimes as a process-design problem, not just a certificate-date problem.

The 47-day SSL readiness operating model

The operating model has four layers:

1. Inventory: know which domains and hostnames matter.
2. Readiness: confirm ACME, CAA, DNS, HTTP, and host dependencies.
3. Monitoring: watch expiry and unexpected certificate signals.
4. Reporting: turn checks and exceptions into client-facing proof.

| Readiness area | What to check | Why it matters | Tool/check | |---|---|---|---| | Certificate status | Validity, issuer, expiry, hostname coverage | Establish current state | Watchtower, Audit | | ACME path | Whether renewal can happen without manual steps | Shorter cycles punish manual processes | Pre-Flight | | CAA records | Whether the expected CA is allowed | CAA can block issuance | Pre-Flight | | HTTP validation | Port 80, redirect behavior, challenge path | HTTP-01 depends on public reachability | Pre-Flight | | DNS validation | DNS owner, zone access, automation | DNS-01 depends on record control | Pre-Flight | | Ownership | Client, agency, host, DNS provider, CA | Prevents escalation delays | Internal inventory | | Reporting | Status, exception, next owner | Converts monitoring into proof | Audit, monthly report |

ACME readiness

ACME readiness means the certificate renewal method still works. For many managed platforms, the agency does not see the ACME client directly. The practical review is still useful: does the platform control the validation path, does DNS point where the platform expects, and does the account have the right domain connection?

The ACME readiness check explains the basic review. Agencies should document the renewal model for each important domain:

• Host-managed certificate.
• CDN-managed certificate.
• WordPress host certificate.
• Custom ACME client on a server.
• Manual certificate uploaded by a vendor.
• Wildcard certificate using DNS-01.

Readiness is weaker when the model is unknown. Unknown does not mean broken, but it does mean the agency cannot confidently explain who will act if renewal fails.

CAA records and certificate authority authorization

CAA records tell certificate authorities which CAs may issue certificates for a domain. CAA is useful, but it can also create renewal surprises when a domain moves platforms or changes certificate providers.

The CAA record SSL renewal guide, Let's Encrypt CAA troubleshooting guide, and CAA records and 47-day SSL guide cover the support topics in detail. For the pillar workflow, the rule is:

• Record which CA is currently issuing certificates.
• Check whether CAA permits that CA.
• Check whether wildcard needs issuewild.
• Confirm who can edit DNS if CAA changes are required.
• Do not remove CAA records without understanding why they exist.

CertPilot checks and records CAA for certificate-authority context. It does not make DNS changes or fix CAA automatically.

HTTP-01 vs DNS-01 validation

The validation method determines what can break.

| Validation method | Best for | Common failure | Agency action | |---|---|---|---| | HTTP-01 | Normal websites with public HTTP reachability | Port 80 blocked, redirect loop, challenge path intercepted | Confirm public HTTP path and host routing | | DNS-01 | Wildcards, private hosts, CDN-heavy setups | DNS owner unavailable, automation token expired, stale TXT record | Confirm DNS access and owner | | Platform-managed | Hosted builders and managed hosts | Domain not connected, wrong DNS target, account issue | Check platform status and support path | | Manual upload | Legacy hosting or custom servers | Person forgets renewal, chain uploaded incorrectly | Replace with automated workflow where possible |

The HTTP-01 vs DNS-01 guide and port 80 ACME guide are the first support articles to use when a renewal path is unclear.

DNS ownership and access

Many renewal failures are really access failures. The agency sees the website, the host sees the account, the client owns the registrar, and nobody knows who can edit DNS quickly.

For 47-day readiness, document:

• Registrar.
• DNS provider.
• Nameserver owner.
• Person or team with DNS access.
• Whether the agency has delegated access.
• Whether the client requires approval for DNS edits.
• Whether CAA, TXT, or validation records are managed by a third party.

This is where SSL readiness connects to DNS monitoring for agencies. If the agency cannot explain who owns DNS, it cannot promise a fast certificate-renewal response.

Hosting and managed platform dependencies

Managed platforms simplify certificates when the domain is connected correctly. They also hide details until something drifts.

Agencies should watch for:

• Website moves without certificate review.
• DNS changes after launch.
• CDN toggles that change issuer.
• Host migrations where the old certificate remains visible.
• Wildcard assumptions that do not match the platform.
• Client billing or account status blocking platform services.

The goal is not to replace the host or CA. The goal is to know which system owns renewal and when the agency should escalate.

Renewal workload and agency care plans

Shorter certificate lifetimes increase the number of renewal events. Most renewals should be uneventful, but the agency workload comes from exceptions. The SSL renewal workload calculator helps estimate how many events the team may need to watch.

For care plans, 47-day readiness should become a recurring review:

• Which domains renew soon?
• Which domains have unknown owners?
• Which domains depend on manual renewal?
• Which domains have CAA or validation risk?
• Which exceptions need client attention?

The 47-day SSL care plan guide turns that into a client service model.

Calendar reminders vs automated visibility

Calendar reminders are useful, but they are not the same as monitoring. A reminder says "check this later." Visibility says "this is what the certificate and supporting signals look like now."

Use calendar reminders for human follow-up:

• Client approval needed.
• Host ticket pending.
• DNS owner assigned.
• Certificate renewal date approaching.

Use monitoring for public signals:

• Expiry date.
• Issuer.
• CAA context.
• Certificate Transparency activity.
• DNS and domain health signals.

The SSL monitoring Watchtower guide explains how expiry visibility and calendar workflows fit together.

Common failure patterns

| Failure pattern | Possible cause | Urgency | Next step | |---|---|---|---| | Certificate due soon and owner unknown | Client or host owns renewal path | High | Assign owner and escalation path | | ACME challenge fails | HTTP path blocked or DNS-01 record unavailable | High near expiry | Confirm validation method | | CAA blocks expected CA | Old CA restriction copied forward | Medium to high | Review CAA with DNS owner | | Wildcard renewal uncertain | DNS-01 access unclear | Medium | Confirm DNS automation or manual owner | | Issuer changes unexpectedly | Platform migration or CDN change | Medium | Compare to expected host | | Manual upload process remains | Legacy hosting workflow | Medium | Add reminder and owner |

47-day SSL readiness checklist for agencies

• List every client domain and important hostname.
• Record current certificate expiry and issuer.
• Confirm the certificate covers the expected hostnames.
• Identify the renewal owner: host, platform, client, agency, or vendor.
• Identify the validation method when possible.
• Check whether CAA permits the expected CA.
• Confirm DNS owner and emergency DNS contact.
• Confirm whether HTTP-01 depends on port 80 and redirect behavior.
• Confirm whether DNS-01 depends on manual records or automation.
• Flag wildcard certificates for separate review.
• Add renewal reminders only after ownership is clear.
• Document exception status in a client-ready note.
• Recheck after hosting, DNS, CDN, or registrar changes.

Pre-Flight vs Watchtower vs full Agency Audit

Use this decision framework when choosing the next check:

| Situation | Best first step | Why | Follow-up | |---|---|---|---| | One domain needs 47-day readiness review | 47-Day Pre-Flight | Focused ACME, CAA, and renewal-readiness check | Assign owner for exceptions | | A domain needs SSL expiry and calendar workflow | Watchtower | Tracks certificate timing and reminders | Use Pre-Flight if readiness is uncertain | | An agency wants portfolio-level visibility | free 10-domain agency audit | Combines SSL, DNS, domain, CAA, and email-auth signals | Turn findings into report items | | A certificate issue repeats | Pre-Flight plus internal owner review | Repetition usually means process gap | Document permanent owner |

How CertPilot fits

CertPilot gives agencies public-signal visibility around SSL, DNS, domain expiry, email authentication, CAA, and client-ready reporting. It does not issue certificates, renew certificates, manage DNS hosting, or replace the systems that do those jobs.

For 47-day readiness, CertPilot is best used as the proof and visibility layer:

• Run 47-Day Pre-Flight when a domain needs ACME, CAA, and readiness review.
• Use Watchtower when expiry visibility and calendar workflow matter.
• Run the free agency audit when the client conversation needs broader proof across several domains.
• Use the methodology page when clients ask what public data CertPilot inspects and where the limits are.

Tool CTA: run a 47-day SSL readiness check

If a client domain is due for launch, migration, or renewal review, run 47-Day Pre-Flight first. It is the most focused CertPilot tool for ACME, CAA, and shorter-lifetime certificate readiness.

If you manage several client domains, run the free 10-domain agency audit afterward so SSL readiness can be reviewed alongside DNS, domain expiry, email-authentication, and reporting signals.

Cluster map: supporting 47-day SSL resources

Use these support articles to go deeper without duplicating the whole workflow:

• 47-day SSL certificates for agencies
• 200-day SSL certificate timeline
• ACME readiness check
• SSL certificate renewal workload calculator
• Why ACME renewal fails on client sites
• HTTP-01 vs DNS-01 for client websites
• Port 80 and ACME HTTP-01 renewal
• Wildcard certificate renewal risks
• CAA records for client SSL renewals
• CAA records blocking Let's Encrypt
• CAA records and the 47-day SSL shift
• 47-day SSL care plan guide

Related Resources

• SSL monitoring Watchtower guide
• DNS monitoring for agencies
• CAA records and 47-day SSL for agencies
• Client website health report template
• Agency client reporting guide

Frequently Asked Questions

What is 47-day SSL readiness for agencies?

47-day SSL readiness for agencies is the process of checking whether client certificates can renew reliably under shorter certificate lifetimes. It includes certificate expiry visibility, ACME readiness, CAA records, validation method, DNS ownership, hosting dependencies, and escalation workflow. The point is not to manually touch every renewal. The point is to find the domains where automation, ownership, or authorization is unclear before a renewal becomes urgent.

Does CertPilot renew SSL certificates automatically?

No. CertPilot does not issue, renew, or install SSL certificates. It checks public certificate, DNS, CAA, domain, and related signals so agencies can see which domains need follow-up. Certificate renewal remains the responsibility of the host, certificate authority, ACME client, platform, DNS owner, or internal team that controls the domain.

Is CAA required for every client domain?

No. A domain can obtain certificates without publishing CAA records. When CAA is present, it can restrict which certificate authorities may issue certificates. Agencies should review CAA because an old or copied record can block the expected CA. The safer workflow is to document why the CAA record exists and confirm it matches the renewal path.

Should agencies use HTTP-01 or DNS-01 validation?

It depends on the site and hosting model. HTTP-01 is common for public websites where the host can serve the ACME challenge. DNS-01 is common for wildcard certificates and situations where DNS validation is preferred. Agencies do not always choose the method directly, especially on managed platforms, but they should know which owner controls the path when renewal fails.

How often should agencies review certificate readiness?

Agencies should review readiness during onboarding, launch, hosting migration, DNS migration, care-plan setup, and before known renewal windows. Shorter certificate lifetimes make recurring review more important, but the highest-risk moments are changes: new host, new CDN, new DNS provider, new CAA record, or unclear ownership.

Is Watchtower the same as 47-Day Pre-Flight?

No. Watchtower is best for SSL visibility, expiry tracking, Certificate Transparency review, and calendar workflow. 47-Day Pre-Flight is better when the question is renewal readiness: ACME, CAA, validation path, and shorter-lifetime risk. A full agency audit is broader and includes SSL, DNS, domain expiry, CAA, and email-authentication signals across up to 10 domains.

What should agencies report to clients about 47-day SSL readiness?

Report the practical state: certificate expiry reviewed, renewal owner identified, CAA checked, validation risk noted, and next action assigned if needed. Clients do not need raw certificate chains unless they ask. They need to know whether the agency is watching the domain and whether the next step belongs to the agency, host, DNS owner, certificate provider, or client.