Let’s Encrypt, the nonprofit certificate authority powering free TLS/SSL certificates for millions of websites, announced sweeping updates to its issuance policies.
The changes introduce a new “Generation Y” root hierarchy, deprecate TLS client authentication, and progressively shorten certificate lifetimes to align with CA/Browser Forum requirements.
To ensure a smooth transition, Let’s Encrypt leverages ACME profiles, giving users control over rollout timing. For most, no immediate action is needed.
Central to the update is the “Generation Y” hierarchy: two new Root CAs and six Intermediate CAs, cross-signed by the existing “Generation X” roots (X1 and X2).
This maintains broad trust compatibility. The new intermediates omit the TLS Client Authentication Extended Key Usage (EKU), addressing an upcoming root program mandate. Let’s Encrypt previously detailed plans to end TLS Client Auth support from February 2026.
Profile-specific timelines vary. Users on the default classic profile switch to Generation Y on May 13, 2026. Those needing legacy TLS client auth can stick with the tlsclient profile, which remains on Generation X until May 2026.
Meanwhile, TLS server and short-lived profiles shift to Generation Y this week, enabling opt-in short-lived certificates with IP address support. This marks general availability for short-lived certs, aiding automated renewals and reducing exposure windows.
Shortening lifetimes complies with evolving CA/Browser Forum Baseline Requirements. Next year, early adopters will test 45-day certificates via tlsserver. Defaults drop to 64 days in 2027, then 45 days in 2028, as detailed in Let’s Encrypt’s lifetime reduction post.
Timeline Overview
| Change | Profile Affected | Date |
|---|---|---|
| Gen Y rollout (tlsserver/shortlived) | tlsserver, shortlived | This week |
| TLS Client Auth end | All (tlsclient legacy) | Feb 2026 |
| Gen Y default switch | Classic | May 13, 2026 |
| 45-day opt-in | tlsserver | 2026 |
| Default 64 days | All | 2027 |
| Default 45 days | All | 2028 |
These updates strengthen security by minimizing key compromise risks through shorter validity and refined EKUs, without disrupting most workflows. Let’s Encrypt urges reviewing linked posts and community forums for edge cases, like IP certificates .
As support on Let’s Encrypt grows, securing over 300 million domains, these changes underscore proactive adaptation to industry standards, potentially influencing broader PKI ecosystems.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
