Let’s Encrypt, the nonprofit certificate authority serving millions of websites, announced a significant shift in how it issues digital certificates.
Starting in 2026, the organization will reduce the validity period of its SSL/TLS certificates from 90 days to 45 days, with complete implementation expected by February 2028.
The move aligns Let’s Encrypt with broader industry standards mandated by the CA/Browser Forum Baseline Requirements, which establishes technical guidelines for all publicly-trusted Certificate Authorities.
This industry-wide initiative aims to strengthen internet security by limiting the scope of potential compromise and improving the effectiveness of certificate revocation.
Beyond shortening certificate lifespans, Let’s Encrypt is also reducing its authorization reuse period from 30 days to just 7 hours by 2028.
This means domain control validation will need to occur more frequently. However, the organization is introducing new tools to streamline this process.
A Phased Rollout to Minimize Disruption
Rather than implementing changes overnight, Let’s Encrypt will deploy updates across multiple stages using ACME Profiles, which give administrators control over when to adopt new standards. The timeline includes three key milestones.
On May 13, 2026, the organization will launch its TLS server ACME profile for early adopters and testing, issuing 45-day certificates.
The following year, on February 10, 2027, the default classic profile will issue 64-day certificates with a 10-day authorization reuse period.
Finally, on February 16, 2028, the classic profile will fully transition to 45-day certificates with a 7-hour authorization reuse window.
Most Let’s Encrypt users with automated certificate management will experience minimal disruption, as the changes only take effect at certificate renewal after each rollout date.
However, administrators must verify that their automation infrastructure can handle more frequent renewals.
To address renewal challenges, Let’s Encrypt recommends using ACME Renewal Information (ARI).
This feature notifies clients precisely when to renew certificates. For those without ARI support, organizations should implement renewal schedules that renew certificates approximately two-thirds of the way through their current validity period.
Fixed renewal intervals of 60 days will no longer suffice.
The organization is also working with the CA/Browser Forum and the IETF to standardize DNS-PERSIST-01, a new validation method that will arrive in 2026.
This approach allows administrators to configure DNS entries once without requiring changes at each renewal, significantly simplifying automation for organizations with limited ACME client access to infrastructure.
Organizations should implement comprehensive monitoring systems to alert administrators if certificate renewals fail unexpectedly.
Let’s Encrypt provides documentation on available monitoring options to help administrators maintain visibility.
Administrators can stay informed by subscribing to Let’s Encrypt’s technical updates mailing list.
While shorter certificate lifespans require more frequent renewals, the enhanced security posture and new automation tools should significantly reduce operational friction.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.