|
| 1 | +--- |
| 2 | +author: Matthew McPherrin |
| 3 | +date: 2025-12-02T00:00:00Z |
| 4 | +slug: from-90-to-45 |
| 5 | +title: "Decreasing Certificate Lifetimes to 45 Days" |
| 6 | +excerpt: "Improving security for active and revoked certificates." |
| 7 | +display_default_footer: true |
| 8 | +display_inline_newsletter_embed: false |
| 9 | +--- |
| 10 | + |
| 11 | +Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028. |
| 12 | + |
| 13 | +This change is being made along with the rest of the industry, as required by the [CA/Browser Forum Baseline Requirements](https://cabforum.org/working-groups/server/baseline-requirements/requirements/), which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient. |
| 14 | + |
| 15 | +We are also reducing the authorization reuse period, which is the length of time after validating domain control that we allow certificates to be issued for that domain. It is currently 30 days, which will be reduced to 7 hours by 2028. |
| 16 | + |
| 17 | +## Timeline of Changes |
| 18 | + |
| 19 | +To minimize disruption, Let’s Encrypt will roll this change out in multiple stages. We will use ACME Profiles to allow you control over when these changes take effect. They are configured in your ACME client. For more information, see our [blog post announcing them](https://letsencrypt.org/2025/01/09/acme-profiles). |
| 20 | + |
| 21 | +Changes will be deployed to our staging environment approximately one month before the production dates below. |
| 22 | + |
| 23 | + * **May 13, 2026:** Let’s Encrypt will switch our [tlsserver](https://letsencrypt.org/docs/profiles/#tlsserver) ACME profile to issue 45-day certificates. This profile is opt-in and can be used by early adopters and for testing. |
| 24 | + * **February 10, 2027:** Let’s Encrypt will switch our default [classic](https://letsencrypt.org/docs/profiles/#classic) ACME profile to issuing 64-day certificates with a 10-day authorization reuse period. This will affect all users who have not opted into the [tlsserver](https://letsencrypt.org/docs/profiles/#tlsserver) or [shortlived](https://letsencrypt.org/docs/profiles/#shortlived) (6-day) profiles. |
| 25 | + * **February 16, 2028:** We will further update the [classic](https://letsencrypt.org/docs/profiles/#classic) profile to issue 45-day certificates with a 7 hour authorization reuse period. |
| 26 | + |
| 27 | +These dates are when the change takes effect for new certificates, so Let’s Encrypt users will see the reduced certificate validity period at their next renewal after these dates. |
| 28 | + |
| 29 | +## Action Required |
| 30 | + |
| 31 | +Most users of Let’s Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods. |
| 32 | + |
| 33 | +To ensure your ACME client renews on time, we recommend using [ACME Renewal Information (ARI)](https://letsencrypt.org/2023/03/23/improving-resliiency-and-reliability-with-ari). ARI is a feature we’ve introduced to help clients know when they need to renew their certificates. Consult your ACME client’s documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this [integration guide](https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients). |
| 34 | + |
| 35 | +If your client doesn’t support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate’s lifetime. |
| 36 | + |
| 37 | +Manually renewing certificates is not recommended, as it will need to be done more frequently with shorter certificate lifetimes. |
| 38 | + |
| 39 | +We also recommend that you make sure your systems have sufficient monitoring in place to alert appropriately if certificates aren’t renewed when expected. There are many available options, some of which are documented on our [Monitoring Service Options](https://letsencrypt.org/docs/monitoring-options/) page. |
| 40 | + |
| 41 | +## Making Automation Easier with a new DNS Challenge Type |
| 42 | + |
| 43 | +For many of our users, the hardest part of automatically issuing certificates is proving domain control. Reducing certificate lifetimes and the authorization reuse period will make users need to demonstrate control more often. |
| 44 | + |
| 45 | +All validation methods today require that the ACME client have live access to your infrastructure, either to serve the correct HTTP-01 token, perform the right TLS-ALPN-01 handshake, or update the right DNS-01 TXT record. For a long time, people have wanted a way to run an ACME client without granting it access to these sensitive systems. |
| 46 | + |
| 47 | +These challenges are why we are working with our partners at the CA/Browser Forum and IETF to standardize a new validation method called [DNS-PERSIST-01](https://datatracker.ietf.org/doc/html/draft-sheurich-acme-dns-persist-01). The key advantage of this new method is that the DNS TXT entry used to demonstrate control does not have to change every renewal. |
| 48 | + |
| 49 | +This means you can set up the DNS entry once and begin automatically renewing certificates without needing a way to automatically update DNS. This should allow even more people to automate their certificate renewals. It will also reduce reliance on authorization reuse, since the DNS records can stay unchanged without any further ACME client involvement. |
| 50 | + |
| 51 | +We expect DNS-PERSIST-01 to be available in 2026, and will have more to announce soon. |
| 52 | + |
| 53 | +## Keep Up to Date |
| 54 | + |
| 55 | +Additional updates, reminders, and other changes will be shared on our [technical updates mailing list](https://letsencrypt.org/opt-in/). Subscribe to keep up-to-date with these and all other upcoming changes. If you have any questions, please ask on our [community forum](https://community.letsencrypt.org/). If you want to read more about the work happening at Let’s Encrypt and our other projects, check out our [Annual Report](https://www.abetterinternet.org/annual-reports/), which was published today. |
0 commit comments