Let’s Encrypt, a leading nonprofit certificate authority (CA), plans to slash the validity of its TLS certificates from 90 days to 45 days by 2028.
This move aligns with industry-wide mandates from the CA/Browser Forum’s Baseline Requirements, which govern publicly trusted CAs.
Shorter lifetimes enhance internet security by narrowing the window for key compromise and improving revocation efficiency through protocols like OCSP and CRLs.
The change also reduces the authorization reuse period the time after domain validation during which new certificates can be issued without revalidation from 30 days to 7 hours.
This forces more frequent domain control proofs via ACME challenges like HTTP-01, TLS-ALPN-01, or DNS-01.
Let’s Encrypt emphasizes that automation handles most renewals seamlessly, but users must adapt clients to avoid outages.
To ease the transition, Let’s Encrypt deploys changes via ACME Profiles, configurable in clients like certbot or acme.sh.
Staging previews launch one month prior. New certificates adopt shorter validity at renewal post-dates.
| Date | Profile | Changes |
|---|---|---|
| May 13, 2026 | tlsserver | 45-day certs (opt-in for testing) |
| Feb 10, 2027 | classic | 64-day certs, 10-day auth reuse |
| Feb 16, 2028 | classic | 45-day certs, 7-hour auth reuse |
The classic profile serves most users without opt-ins to TLS server or short-lived (6-day) profiles. Details in Let’s Encrypt’s ACME Profiles docs.
Automated setups need verification for 45-day compatibility. Enable ACME Renewal Information (ARI) in clients for precise renewal signals, per the ARI integration guide.
Without ARI, schedule renewals at ~two-thirds lifetime (e.g., 30 days for 45-day certs) instead of fixed 60-day intervals. Avoid manual renewals, which become impractical.
Monitoring remains critical deploy expiry alerts using the tools listed in Let’s Encrypt’s monitoring options.
To simplify frequent validations, Let’s Encrypt advances DNS-PERSIST-01, a proposed IETF standard (draft).
This uses static DNS TXT records that persist across renewals, eliminating the need for dynamic updates.
Rollout expected in 2026, reducing reliance on auth reuse and enabling air-gapped automation.
Stay informed through the technical updates list, the community forum, and the 2024 Annual Report.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…