Web PKI: Let's Encrypt shortens certificate validity to 45 days
The decision by the CA and Browser Forum cuts certificates after 45 days. However, the change will not be abrupt; admins can test extensively.
Free TLS certificates from Let’s Encrypt (LE) will soon be valid for a significantly shorter period than usual: their validity will drop from the current 90 days to half. As a Certificate Authority (CA), Let’s Encrypt is thus implementing a change to the “Baseline Requirements” that govern the issuance of certificates for the Web PKI. LE will initially launch a test operation in May.
It starts on May 13, 2026: Anyone who wishes can order certificates with a validity of 45 days from that day onwards, and must use the optional certificate profile "tlsserver" for this. On February 10, 2027, the validity for all newly issued certificates will then initially drop to 64 days, and a little over a year later, on February 16, 2028, to 45 days.
Most administrators who use Let’s Encrypt certificates for their web servers will likely notice little difference from the change: their renewal automation will run every one and a half months instead of three months in the future. To assist such automatic helpers, there will be a protocol extension for ACME (Automatic Certificate Management Environment) in the future, called ACME Renewal Information (ARI).
Videos by heise
Renew manually? Better not!
The project has long advised against manual certificate renewal, stating that the process is too error-prone and would now have to be performed twice as often. Furthermore, administrators should ensure that they are alerted by monitoring systems as soon as a renewal fails, Let’s Encrypt recommends in the announcement blog post.
Those who still struggle with automation may appreciate the new verification method "DNS-PERSIST-01". Here, a DNS entry only needs to be set once for verification and not with every certificate renewal. However, DNS-PERSIST-01 still needs to be ratified by the relevant bodies, i.e., the IETF and the CA/Browser Forum.
The background to the changes is also the powerful alliance of browser manufacturers and CAs. Above all, Chrome, Mozilla, and others see long certificate validity periods as major security risks and have been lobbying for years, which led to the decision by the CA/B Forum last autumn to mandatorily shorten the validity periods.
(cku)
