Start with the client list
Agency certificate risk usually lives in spreadsheets, hosting panels, DNS accounts, CDNs, and client handoffs. Import the production sites, portals, checkout paths, APIs, landing pages, and high-retainer client domains first.
- Tag each hostname by client, environment, platform, renewal contact, or account team.
- Use dry-run validation to catch malformed rows, duplicates, and quota impact before monitors are created.
- Keep client-facing domains separate from lower-risk staging or campaign hostnames.
| Input | What to capture | Why it matters |
|---|---|---|
| Client domain list | Apex, www, portals, APIs, checkout, campaign, and vendor-hosted names. | Prevents important client paths from staying outside the renewal queue. |
| Account owner | Account manager or technical lead responsible for client communication. | Shows who should know before a browser warning becomes a client apology. |
| Renewal contact | Hosting, DNS, CDN, platform, or vendor owner. | Keeps the fix path attached to the hostname. |
| Alert route | Shared inbox, client channel, Slack route, or webhook destination. | Keeps warnings out of personal inboxes. |
| Evidence need | Delivery attempts, certificate snapshot, and change history. | Supports client review after a missed warning or renewal handoff. |