The transition, which will be completed by 2028, aligns with broader industry shifts mandated by the CA/Browser Forum Baseline Requirements.
This move is designed to enhance internet security by limiting the window of compromise for stolen credentials and improving the efficiency of certificate revocation technologies.
In addition to shortening certificate lifespans, the Certificate Authority (CA) will drastically reduce the “authorization reuse period,” the duration for which a validated domain control remains active before re-verification is required.
Currently set at 30 days, this period will shrink to just 7 hours by the final rollout phase in 2028.
To minimize service disruption for millions of websites, Let’s Encrypt is using ACME Profiles to stagger deployments. The changes will first be introduced via opt-in profiles before becoming the default standard for all users.
| Date | ACME Profile | Policy Change |
|---|---|---|
| May 13, 2026 | tlsserver (Opt-in) | Profile switches to issuing 45-day certificates. Intended for testing and early adopters. |
| Feb 10, 2027 | classic (Default) | Default issuance moves to 64-day certificates with a 10-day authorization reuse period. |
| Feb 16, 2028 | classic (Default) | Full enforcement of 45-day certificates with a 7-hour authorization reuse period. |
While most automated environments will handle these changes seamlessly, the shortened validity period necessitates a review of current renewal configurations.
Administrators relying on hardcoded renewal intervals, such as a cron job running every 60 days, will face outages, as certificates will expire before the renewal triggers.
Let’s Encrypt advises that acceptable client behavior involves renewing certificates approximately two-thirds of the way through their lifetime.
To facilitate this, the organization recommends enabling ACME Renewal Information (ARI), a feature that allows the CA to signal precisely when a client should renew.
Manual certificate management is strongly discouraged, as the administrative burden of renewing every few weeks increases the likelihood of human error and expired certificates.
The reduction in authorization reuse means clients must prove domain control more frequently. To address the friction this causes for users who cannot easily automate DNS updates, Let’s Encrypt is collaborating with the IETF to standardize a new validation method: DNS-PERSIST-01.
Expected to launch in 2026, this protocol allows for a static DNS TXT entry. Unlike the current DNS-01 challenge, which requires a new token for every renewal, DNS-PERSIST-01 permits the initial verification record to remain unchanged.
This development will enable automated renewals for infrastructure where dynamic DNS updates are restricted or technically difficult, reducing the reliance on cached authorizations.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Let’s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days appeared first on Cyber Security News.
A nation-state malware known as Kazuar has resurfaced with a far more dangerous design than…
A high-severity privilege escalation vulnerability has been discovered in VMware Fusion, Broadcom’s popular macOS virtualization…
A state-aligned hacking group known as FrostyNeighbor has resurfaced with a fresh wave of cyberattacks…
James Ohlen, the former director of BioWare MMO Star Wars: The Old Republic, has discussed…
Subnautica 2 has sold 2 million copies within 12 hours of its early access launch,…
Peter Jackson has compared The Lord of the Rings: The Hunt for Gollum to Joaquin…
This website uses cookies.