On December 2, 2025, Let’s Encrypt announced that it will further shorten the validity period of its publicly trusted TLS/SSL certificates from the current 90 days to 45 days by 2028. At the same time, the authorization reuse period for domain name verification will be shortened from the current 30 days to 7 hours.
Let’s Encrypt points out that this adjustment is an industry-wide unified action implemented in response to CA/B Forum benchmark requirements, and all publicly trusted certificate authorities will adopt similar adjustments.
Shortening the validity period of TLS/SSL certificates is believed to help reduce the risk exposure from key leaks and improve the efficiency of certificate revocation technology, thereby enhancing overall internet security.
This change continues the trend of Web PKI towards higher frequency updates and automated management, and also means that the future certificate ecosystem will rely more heavily on automated tools to ensure timely certificate renewal and secure management.
According to Let’s Encrypt’s announcement, in order to mitigate the impact, the change will be rolled out in phases.
The following updates will be deployed to the test environment approximately one month before the production environment change date:
2026/5/13
Let's Encrypt's tlsserver ACME configuration file will be switched to issue certificates with a 45-day validity period. This configuration file is an optional mode for early testing users.
2027/2/10
The default classic ACME configuration file will be adjusted to issue certificates with a 64-day validity period, and the authorization reuse period will be shortened to 10 days. Users who have not selected the tlsserver or shortlived (6-day) configuration file will be affected.
2028/2/16
The classic configuration file will be upgraded again, issuing a 45-day certificate and implementing a 7-hour authorized reuse period.
It should be emphasized that these dates refer to the effective date of the newly issued certificate. For Let’s Encrypt users, the shortened validity period will apply to the first renewal.
Impact on users: Automation becomes a prerequisite
In its announcement, Let’s Encrypt stated that most users of the automated ACME client will not require additional adjustments, but should confirm whether their existing automated processes are compatible with shorter certificate expiration dates.
Therefore, Let’s Encrypt recommends that users enable ACME Renewal Information (ARI) to more accurately determine when to renew.
If the client does not currently support this feature, please ensure its runtime schedule is compatible with a 45-day validity period. For example, a fixed 60-day renewal interval will no longer be applicable. It is recommended to renew certificates for two-thirds of their current validity period.
Let’s Encrypt emphasizes that manual renewal is not recommended, as shortening the certificate validity period will significantly increase the frequency of operations.
It is also recommended to establish a robust monitoring mechanism to trigger alerts when certificates are not renewed on time.
