This change is being made in line with the rest of the industry as well as the CA/Browser Forum Baseline Requirements, which set the technical requirements we must follow. All publicly-trusted certificate authorities like Let’s Encrypt will make similar changes. Reducing the validity period of certificates helps improve the security of the Internet by limiting the scope of compromise, and by making certificate revocation techniques more efficient.
We are also reducing the authorization reuse period, which is the period of time after validating domain control that we are allowed to issue certificates for that domain. Currently it is 30 days, which will be reduced to 7 hours by 2028.
timeline of change
To minimize disruption, Let’s Encrypt will implement this change in phases. We will use ACME profiles to give you control over when these changes take effect. They are configured in your ACME client. For more details, check out our blog post announcing them.
Changes will be implemented in our staging environment approximately one month before the production dates listed below.
- May 13, 2026: Let’s Encrypt will switch our tlsserver ACME profile to issue 45-day certificates. This profile is opt-in and can be used for early adopters and testing.
- February 10, 2027: Let’s Encrypt will switch our default Classic ACME profile to issuing 64-day certificates with a 10-day authorization reuse period. This will affect all users who have not opted for the tlsserver or short-term (6-day) profile.
- February 16, 2028: We will further update the classic profile to issue 45-day certificates with a 7-hour authorization reuse period.
These dates are when the change takes effect for new certificates, so Let’s Encrypt users will see a reduced certificate validity period on their next renewal after these dates.
action required
Most users of Let’s Encrypt that automatically issue certificates will not need to make any changes. However, you should verify that your automation is compatible with certificates that have a shorter validity period.
To ensure that your ACME client renews on time, we recommend using the ACME Renewal Notification (ARI). ARI is a feature we introduced to help customers know when they need to renew their certificates. Consult your ACME client’s documentation about how to enable ARI, as this varies from client-to-client. If you are a client developer, check out this integration guide.
If your client does not yet support ARI, make sure it runs on a schedule compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer suffice. Acceptable practice includes renewing approximately two thirds of the certificates during the lifetime of the current certificate.
It is not recommended to manually renew certificates, as this will need to be done more frequently with shorter certificate lifetimes.
We also recommend that you ensure that you have adequate monitoring in place to appropriately alert you if certificates are not renewed as expected. There are several available options, some of which are documented on our Monitoring Service Options page.
Simplifying automation with new DNS challenge types
For many of our users, the hardest part of automatically issuing certificates is proving domain control. Reducing certificate lifetimes and reducing authorization reuse periods will require users to display controls more frequently.
All authentication methods today require that the ACME client have live access to your infrastructure, either serving the correct HTTP-01 token, performing the correct TLS-ALPN-01 handshake, or updating the correct DNS-01 TXT record. For a long time, people have wanted a way to run the ACME client without providing access to these sensitive systems.
Because of these challenges, we are working with our partners at the CA/Browser Forum and the IETF to standardize a new verification method called DNS-PERSIST-01. The main advantage of this new method is that the DNS TXT entry used to display the control does not have to be changed with every upgrade.
This means you can set up the DNS entry once and start automatically renewing certificates without the need to update DNS automatically. This should allow even more people to automate their certificate renewals. This will also reduce reliance on authorization reuse, as DNS records can remain unchanged without any ACME client involvement.
We expect DNS-PERSIST-01 to be available in 2026, and have more to announce soon.
keep up to date
Additional updates, reminders, and other changes will be shared on our technical update mailing list. Subscribe to stay updated on these and all other upcoming changes. If you have any questions, please ask on our community forum. If you want to read more about the work happening on Let’s Encrypt and our other projects, check out our annual report, which was published today.
<a href