diff --git a/backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md b/backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md
index a9cc50d8..cb4f3640 100644
--- a/backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md
+++ b/backend/services/identity-service/docs/DEPLOYMENT_GUIDE.md
@@ -127,12 +127,15 @@
 │   └── rwaapi.szaiai.com.conf        # API 网关配置
 ├── sites-enabled/                     # 已启用站点 (软链接)
 │   └── rwaapi.szaiai.com.conf → ../sites-available/rwaapi.szaiai.com.conf
-├── snippets/                          # 可复用配置片段
-│   ├── proxy-params.conf             # 代理参数
-│   └── ssl-params.conf               # SSL 安全参数
-└── ssl/
-    ├── rwaapi.szaiai.com.pem         # SSL 证书
-    └── rwaapi.szaiai.com.key         # SSL 私钥
+└── snippets/                          # 可复用配置片段
+    ├── proxy-params.conf             # 代理参数
+    └── ssl-params.conf               # SSL 安全参数
+
+/etc/letsencrypt/live/rwaapi.szaiai.com/   # Let's Encrypt SSL 证书 (自动管理)
+├── fullchain.pem                          # 完整证书链
+├── privkey.pem                            # 私钥
+├── cert.pem                               # 服务器证书
+└── chain.pem                              # 中间证书
 ```
 
 **使用 `sites-available/sites-enabled` 的优势：**
@@ -284,9 +287,9 @@ server {
     listen 443 ssl http2;
     server_name rwaapi.szaiai.com;
 
-    # SSL 证书
-    ssl_certificate /etc/nginx/ssl/rwaapi.szaiai.com.pem;
-    ssl_certificate_key /etc/nginx/ssl/rwaapi.szaiai.com.key;
+    # Let's Encrypt SSL 证书 (默认路径)
+    ssl_certificate /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem;
 
     # 引入 SSL 安全参数
     include snippets/ssl-params.conf;
@@ -950,11 +953,18 @@ rm -f /etc/nginx/sites-enabled/default
 
 # 6. 安装 SSL 证书 (Let's Encrypt)
 apt install -y certbot python3-certbot-nginx
+# 获取证书 (证书自动保存到 /etc/letsencrypt/live/rwaapi.szaiai.com/)
 certbot certonly --nginx -d rwaapi.szaiai.com
-# 证书会自动保存到 /etc/letsencrypt/live/rwaapi.szaiai.com/
-# 然后创建软链接到 /etc/nginx/ssl/:
-ln -s /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem /etc/nginx/ssl/rwaapi.szaiai.com.pem
-ln -s /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem /etc/nginx/ssl/rwaapi.szaiai.com.key
+# 证书文件:
+#   /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem  (完整证书链)
+#   /etc/letsencrypt/live/rwaapi.szaiai.com/privkey.pem    (私钥)
+# 无需创建软链接，Nginx 配置直接引用 Let's Encrypt 路径
+
+# 设置自动续期 (Let's Encrypt 证书有效期 90 天)
+# certbot 已自动配置 systemd timer，可通过以下命令验证:
+systemctl list-timers | grep certbot
+# 或手动测试续期:
+certbot renew --dry-run
 
 # 7. 测试配置
 nginx -t
@@ -1136,9 +1146,11 @@ docker compose up -d --build identity-service
 - 检查 OPTIONS 预检请求是否返回 204
 
 ### Q3: SSL 证书问题
-- 检查证书路径: `ls -la /etc/nginx/ssl/`
-- 测试 SSL: `openssl s_client -connect rwaapi.szaiai.com:443`
-- 检查证书有效期: `openssl x509 -in /etc/nginx/ssl/rwaapi.szaiai.com.pem -noout -dates`
+- 检查 Let's Encrypt 证书: `ls -la /etc/letsencrypt/live/rwaapi.szaiai.com/`
+- 测试 SSL 连接: `openssl s_client -connect rwaapi.szaiai.com:443`
+- 检查证书有效期: `openssl x509 -in /etc/letsencrypt/live/rwaapi.szaiai.com/fullchain.pem -noout -dates`
+- 手动续期证书: `certbot renew`
+- 查看续期日志: `journalctl -u certbot.timer`
 
 ### Q4: 服务间通信失败
 - 检查 Docker 网络: `docker network inspect rwa-network`