Let’s Encrypt, a public-interest certificate authority, announced the launch of a new “Generation Y” certificate hierarchy and plans to shorten the default certificate validity period to 45 days in stages over the next few years to further strengthen the security of Internet encrypted communications. This series of adjustments also includes deprecating TLS client authentication and switching the default ACME configuration to a new certificate hierarchy.

Let’s Encrypt stated that the newly enabled Generation Y architecture consists of two new root certificates (Root CA) and six new intermediate certificates (Intermediate CA). These new certificates are cross-signed by the existing Generation X root certificates X1 and X2, thus ensuring that the new architecture can also be trusted and used in environments that currently trust X1/X2. The official also reiterated that its TLS Client Authentication will be terminated starting from February 2026. Starting from May 13, 2026, the default classic ACME configuration will be switched to a level based on Generation Y and no longer contains the client authentication function. For users who still need to transition, Let’s Encrypt provides a tlsclient configuration that can continue to use existing Generation X root certificates until May 2026.

In terms of certificate validity period, Let’s Encrypt will gradually shorten the certificate life cycle in accordance with the baseline requirements of the CA/Browser Forum. Starting in 2026, it will enter a voluntary "testing the waters" phase, and early adopters and test users can choose a certificate with a 45-day validity period through tlsserver configuration. In 2027, the default certificate validity period will be reduced to 64 days, and in 2028, the default validity period will be further reduced to 45 days, when short-lived certificates will become the norm. Officials pointed out that shortening the certificate life cycle can narrow the attack time window, promote cryptographic algorithm updates more quickly, and reduce the long-term impact of issues such as incorrect issuance.

Let’s Encrypt stated in a community announcement that users using tlsserver and short-lived configurations will receive certificates issued based on the Generation Y level starting this week. This switch also means that optional short-lifecycle certificates have fully entered the "generally available" stage, and support for directly including IP addresses in certificates has been added, providing a more flexible deployment method for some usage scenarios. For website operators and service providers who rely on Let’s Encrypt, they will need to gradually adapt to a more frequent automatic renewal process in the next few years to ensure that while security is enhanced, service stability is not affected.