Let’s Encrypt to Halve SSL/TLS Certificate Validity to 45 Days by 2028
Let’s Encrypt, a leading Certificate Authority (CA), has announced a strategic plan to reduce the maximum validity period of its SSL/TLS certificates from 90 days to 45 days by 2028. This initiative aligns with industry-wide efforts to bolster internet security by minimizing the risk window associated with compromised credentials and enhancing the effectiveness of certificate revocation mechanisms.
Phased Implementation Timeline
To ensure a smooth transition and minimize disruptions for the vast number of websites relying on its services, Let’s Encrypt has outlined a phased rollout using Automated Certificate Management Environment (ACME) Profiles:
– May 13, 2026: Introduction of the ‘tlsserver’ opt-in profile, issuing certificates with a 45-day validity. This phase targets early adopters and testing environments.
– February 10, 2027: The default ‘classic’ profile will begin issuing certificates valid for 64 days, accompanied by a reduction in the authorization reuse period to 10 days.
– February 16, 2028: Full implementation where the ‘classic’ profile will issue 45-day certificates, and the authorization reuse period will be further shortened to 7 hours.
Impact on Certificate Renewal Processes
The reduction in certificate lifespan necessitates a reevaluation of existing renewal configurations:
– Automated Systems: Environments with automated renewal processes should adjust their schedules to accommodate the shorter validity periods.
– Manual Management: Manual renewal processes are strongly discouraged due to the increased administrative burden and heightened risk of human error leading to expired certificates.
Let’s Encrypt recommends that clients initiate renewal approximately two-thirds through the certificate’s lifespan. To facilitate this, enabling ACME Renewal Information (ARI) is advised, allowing the CA to signal the optimal renewal time.
Enhancements in Domain Control Validation
With the authorization reuse period decreasing to 7 hours by 2028, clients will need to prove domain control more frequently. To mitigate potential challenges, Let’s Encrypt is collaborating with the Internet Engineering Task Force (IETF) to standardize a new validation method: DNS-PERSIST-01.
Expected to launch in 2026, DNS-PERSIST-01 will allow for a static DNS TXT entry, eliminating the need for dynamic DNS updates with each renewal. This advancement is particularly beneficial for infrastructures where dynamic DNS updates are restricted or technically challenging, thereby reducing reliance on cached authorizations.
Industry Context and Future Outlook
This move by Let’s Encrypt is part of a broader industry trend toward shorter certificate lifespans. The CA/Browser Forum has approved a proposal to reduce the maximum validity of SSL/TLS certificates from 398 days to 47 days by 2029, with phased reductions beginning in 2026. These changes aim to enhance security by limiting the exposure of private keys and encouraging the adoption of automated certificate lifecycle management solutions.
As the industry progresses toward shorter certificate lifespans, organizations must adapt by implementing robust automation solutions to manage frequent renewals effectively. This transition represents a fundamental shift in digital trust management, ensuring stronger security for an increasingly interconnected world.
