Is Your Agency Responsible for Client SSL Certificates? What the Contracts Say

When a client's SSL certificate expires and their site goes down, the first call comes to the agency. That is not a legal judgement — it is an operational reality. The client's relationship with their agency is the closest point of contact for anything that goes wrong with their digital presence, regardless of whose hosting account the certificate lives in.

The question of legal liability matters, but it is secondary to the immediate situation: the site is down, the client wants it fixed, and the clock is running. Most agencies start from that reality and work backwards to the liability question later.

That sequence — fix first, determine responsibility after — is itself a problem. It means the agency has absorbed the cost of the incident before they have established whether they were obligated to prevent it.

When the Agency Is Clearly Responsible

There are circumstances where the agency's responsibility for SSL certificate management is unambiguous.

The agency manages hosting in its own accounts. If the hosting account is billed to the agency, the agency controls access, and the certificate is provisioned within that account, the agency is responsible. Full stop. There is no reasonable interpretation under which the client is expected to manage a certificate inside an account they cannot access.

The agency manages domain DNS. SSL certificate provisioning is tied to DNS control for most certificate types. Domain validation certificates require either an email to the domain registrant or a DNS record added to the zone. If the agency controls the DNS zone, they are in the certificate provisioning chain — practically if not contractually.

The service agreement includes "website maintenance" or "website management." These terms are common in retainer agreements and are deliberately broad. Courts and arbitrators interpreting these terms will generally include certificate management within "website maintenance" unless the agreement specifically excludes it. Silence on SSL certificates within a "website maintenance" scope is an inclusion, not an exclusion.

The agency previously renewed the certificate. Past behaviour establishes expectation. If an agency renewed a client's SSL certificate once — even informally, even as a one-time favour — the client reasonably expects that behaviour to continue. If it then does not, the client has a grievance with some merit, regardless of what the contract says.

When Responsibility Is Genuinely Ambiguous

Not every agency-client relationship is clear-cut. Several situations create genuine ambiguity.

The client manages their own hosting but the agency has access. This is common in longer-term relationships where the agency was brought in after the client had already established their hosting setup. The agency has credentials, has logged in, has made changes — but the account is in the client's name and billed to the client. The responsibility line is unclear.

The agency built the site but the client "took it over." Project engagements often end with a handoff. The agency launches the site, hands over credentials, and considers the project closed. Whether the SSL certificate management obligation transferred with the credentials is rarely documented. It was never explicitly discussed. The client assumes the agency is still monitoring it. The agency assumes the client is.

There is no written service agreement. This is more common than agencies want to admit, particularly in relationships that started small and grew over time. Without a written agreement, responsibility for SSL certificates is determined by what both parties can demonstrate about their actual practice and reasonable expectations — which is exactly the kind of argument you do not want to be having when a client's e-commerce site has been down for four hours.

What Most Agency Contracts Actually Say

The typical retainer agreement between a marketing agency and a client does not mention SSL certificates. It describes deliverables in terms of campaigns, creative work, reporting, and channel management. If it covers "website management," it does so in terms of content updates and technical maintenance — without specifying what "technical maintenance" includes.

SSL certificate management sits in this gap. It is neither explicitly included nor explicitly excluded. Both parties have signed an agreement that does not address the question.

The practical standard that applies in this situation is one of reasonable expectation: what would a reasonable client, in this type of relationship, with this scope of service, expect the agency to manage? For a client who has contracted a full-service agency to manage their digital presence, a reasonable expectation is that certificate management is included. For a client who contracted a campaign-specific engagement with a defined deliverable list, that expectation is weaker.

The important point is this: if the agency has ever touched it, the expectation exists. The burden is on the agency to explicitly carve it out if they do not want to own it — not on the client to prove they were responsible.

The Simpler Frame

Relitigating liability after an incident is expensive, relationship-damaging, and often inconclusive. The simpler approach is to remove the ambiguity before the incident.

Agencies that manage SSL monitoring proactively have no ambiguity at renewal time. The certificate renews, the client's site stays up, the question of who was responsible never arises. There is no dispute because there is no incident.

This is why professional agencies build SSL monitoring into their retainer scope rather than leaving it as an implicit edge case. It is not a generous concession to the client — it is a risk management decision for the agency. The cost of monitoring is predictable. The cost of an incident is not.

What to Put in Your Service Agreement

Service agreements should resolve the SSL ambiguity in one direction or the other. Both are defensible. Ambiguity is the problem.

If the agency is taking responsibility for SSL monitoring and renewal:

Include specific language that SSL certificate monitoring is within scope, define the alert thresholds the agency monitors to, specify that the agency will notify the client when a certificate is approaching expiry, and clarify who has authority to act on renewal (and who pays for paid certificates when relevant).

If the agency is explicitly not taking responsibility:

Include a clear statement that SSL certificate management is the client's responsibility, specify who receives expiry notifications (the client must designate an active email address), and document that the agency is not liable for incidents arising from certificate expiry.

Either position is professionally reasonable. An agency that manages hundreds of client domains may legitimately choose to include SSL monitoring as a billable service. An agency doing project work with no ongoing retainer may legitimately exclude it. The problem is not the answer — it is having no answer at all.

The Practical Recommendation

Include SSL monitoring in your retainer scope explicitly, charge for it, and monitor it systematically. This is better economics than the alternative.

The alternative is being on call for an emergency certificate renewal at an inconvenient time, treating it as a free service because you cannot easily invoice for it after the fact, and having a client relationship conversation about who is responsible while the site is down.

The agency that has SSL monitoring in scope, charges a modest monthly fee for it, and has a clean record of alerts sent and certificates renewed is in a defensible position on all fronts: contractually, operationally, and in the client relationship.

Merlonix provides per-client SSL certificate monitoring with configurable alert thresholds and account-manager routing — the infrastructure to back up whatever scope you put in your service agreements.