Let’s Encrypt has announced that it will gradually reduce the validity period of the publicly trusted TLS certificates it issues over the next few years, from the current 90 days to 45 days, with a target completion time of 2028. This adjustment is an industry-wide change driven by the baseline requirements established by the CA/Browser Forum, and all trusted certificate authorities will adopt similar practices to improve the overall security of the Internet by shortening the certificate life cycle, limiting the scope of risks such as key leakage, and improving the efficiency of revocation mechanisms.
In addition to the certificate validity period itself, Let’s Encrypt will also significantly shorten the reuse period of domain name control verification results (authorization reuse period), that is, after completing a domain name control verification, how long is the window period allowed to continue to issue certificates based on this verification. This length is currently 30 days, with plans to tighten to just seven hours by 2028, causing domain controls to need to be revalidated more frequently to reduce the risk of abuse of long-standing authorizations.
To minimize the impact on existing users, Let’s Encrypt will implement these changes in phases and give users control over the timing of the switch on the client side through ACME Profiles. The official schedule shows: Starting from May 13, 2026, the optional tlsserver profile will be the first to issue a 45-day certificate; on February 10, 2027, the default classic profile will be changed to issue a 64-day certificate and the authorization reuse period will be shortened to 10 days; by February 16, 2028, the classic profile will be further adjusted to a 45-day certificate and a 7-day certificate. hour license reuse period. These dates only affect newly issued certificates, and users will gradually experience a shortened validity period during subsequent automatic renewals.
For most users who already rely on automated means of obtaining and renewing certificates, officials believe that major modifications are generally not required, but recommend checking whether existing automated processes can accommodate shorter validity periods. Let’s Encrypt recommends that the ACME client supports and enables the ACME Renewal Information (ARI) mechanism so that the client can learn the appropriate renewal time. If the client does not currently support ARI, it should ensure that the renewal scheduling frequency is high enough. For example, avoid using the "fixed 60-day renewal" strategy and instead choose to trigger the renewal task at about two-thirds of the certificate life cycle. Manual renewal is expressly not recommended as it becomes more frequent and error-prone as the certificate life cycle is further shortened.
The official also emphasized that the operation and maintenance team should ensure that it has adequate monitoring and warning mechanisms. Once the certificate is not renewed as expected, the system can issue prompt reminders to avoid service interruptions or security risks. Let’s Encrypt lists a variety of third-party and self-built monitoring solutions on its website for users to choose a suitable combination of monitoring services to adapt to the operation and maintenance requirements brought about by a shorter certificate life cycle.
Considering that shortening the certificate validity period and authorization reuse period will force users to prove domain name control more frequently, Let’s Encrypt is also promoting new verification mechanisms to reduce the difficulty of automation. Current HTTP-01, TLS-ALPN-01, and DNS-01 challenges in the ACME protocol typically require the ACME client to have real-time operational permissions to the web server or DNS infrastructure at each authentication time, which poses challenges in terms of security isolation and permission minimization. To this end, Let’s Encrypt is working with the CA/Browser Forum and IETF to standardize DNS-PERSIST-01, whose core benefit is that the DNS TXT record used to prove control of a domain name does not need to change frequently during subsequent renewals.
Once DNS-PERSIST-01 is available, users can set up DNS records once and then achieve long-term automatic renewal without automatically updating the DNS configuration, helping more organizations complete automated certificate deployment without relaxing infrastructure access. At the same time, this approach also reduces reliance on the "authorization reuse period" itself, because long-term unchanged DNS records can continue to support domain name control verification without the need for ACME clients to repeatedly intervene in configuration updates. Let’s Encrypt expects this new challenge type to be available to users in 2026, and said it will announce more details and implementation guidelines closer to launch.
Let’s Encrypt calls on users who need to be informed of technical changes in a timely manner to subscribe to its technical update mailing list to receive the latest notifications and reminders about certificate validity adjustments, verification mechanism changes, etc. If users have specific questions, they can go to the official community forum to communicate and seek help; if they want to understand the progress of Let’s Encrypt and its parent non-profit organization Internet Security Research Group (ISRG) on broader Internet security and privacy projects, they can check the newly released annual report.