47-Day readiness
A dashboard purpose-built for the CA/B Forum SC-081 shorter- lifetime roadmap. Certs are moving from ~398 days to ~100 and eventually to 47. That shift turns manual renewal processes into incident generators. The readiness score tells you how prepared your project is.
01The score
Weighted average of three components, range 0 – 100:
- 50 % — Automation coverage: fraction of certs with
auto_renew: trueand an issuer that is ACME or MSCA (i.e. renewal doesn't need human paperwork). - 30 % — Distribution coverage: fraction of certs that have at least one auto-triggered distribution, so the renewed cert actually lands somewhere.
- 20 % — No manual DNS: fraction of certs NOT in the manual DNS path. Manual-DNS certs can't auto-renew.
Result buckets:
| Score | Label | Reading |
|---|---|---|
| 90–100 | Ready | You'll ride the 47-day transition easily. |
| 70–89 | Nearly ready | A handful of gaps — prioritised action list surfaces below. |
| 40–69 | Needs work | Significant manual work inside the org; 47-day renewal would hurt. |
| 0–39 | Not ready | Fix fast. Start with the automation coverage component. |
02Renewal projection
A chart showing renewal volume per week under current vs 47-day lifetimes. The 47-day line is often 3 – 4× the current line — that's the scale of additional automation churn SC-081 implies. The chart is a persuasion tool for the conversation with whoever owns "we'll just keep doing it manually".
03Impact metrics
- Manual renewals per week (projected) — certs without auto-renew × (365 / 47).
- Expected rate-limit pressure — per-zone weekly issuance vs CA limits.
- Human-hours per quarter — estimate based on an industry-average 30 min per manual renewal.
04Migration timeline
Apple's phased rollout (the most aggressive browser vendor on this), used as the industry's de-facto schedule. The dashboard highlights "today" on the timeline so you see how much runway you have:
- 2026-03-15: 200-day maximum.
- 2027-03-15: 100-day maximum.
- 2028-04-15: 47-day maximum.
05By-issuer breakdown
A small table showing automation coverage per issuer. Highlights issuers where you still have manual-path certs — usually "we were lazy and didn't auto-renew" or "this issuer genuinely needs human approval". The former is fixable; the latter requires an issuer migration.
06At-risk certificates
The bottom panel enumerates every cert that would miss the 47-day cycle. Sortable by:
- Longest validity left — longest-lived certs first (more time to fix).
- Business criticality — via tags / project conventions.
- Failure class — manual DNS / no auto-renew / no distribution.
A Migrate all button prompts a wizard that enables auto-renew, attaches distributions, or moves off manual DNS — whichever is relevant per cert.
07Caching
The readiness computation is CPU-bound on large fleets (thousands of certs, aggregation pipelines). It's cached with singleflight — concurrent requests coalesce. Background refresh every 5 minutes keeps the view current. Force a refresh with the Recalculate button.
08API
GET /api/v1/projects/{projectId}/dashboard/readiness-47day
# →
{
"score": 78,
"label": "Nearly ready",
"components": {
"automation": { "value": 82, "weight": 50 },
"distribution": { "value": 61, "weight": 30 },
"no_manual_dns":{ "value": 94, "weight": 20 }
},
"projections": { ... },
"at_risk_count": 14,
"computed_at": "2026-04-21T14:23:45Z"
}09Troubleshooting
"My automation score is lower than expected"
MSCA issuers with manual approval templates don't count as fully automated even if auto_renew is on — because the approval step is human. Switch the template to auto-issue in the Windows CA if policy allows, or accept the score hit as the cost of a required approval.
Numbers haven't updated after I fixed a cert
5-minute cache. Click Recalculate to force.