Do Son 
The nonprofit Let’s Encrypt has announced a phased reduction of TLS certificate lifetimes — from the current 90 days to 45 days by 2028. These changes follow the industry-wide Baseline Requirements of the CA/Browser Forum, which all publicly trusted certificate authorities must observe. Shortening certificate validity is intended to enhance overall web security by narrowing the window in which compromised keys can be abused and by simplifying revocation practices.
In parallel, Let’s Encrypt will reduce the domain authorization reuse period. At present, once domain control is verified, the authority may issue certificates for 30 days; by 2028, that interval will shrink to just 7 hours. These constraints will be introduced gradually and will depend on the ACME profile selected in the client. Additional details on these profiles and their configuration are available in Let’s Encrypt’s dedicated post on ACME Profiles.
The first phase begins on 13 May 2026, when the tlsserver profile will start issuing 45-day certificates. This profile is optional and intended for early adopters and testing. On 10 February 2027, the default classic profile will transition to certificates valid for 64 days, with domain authorization reusable for 10 days. Finally, on 16 February 2028, the same classic profile will move fully to 45-day certificates and a 7-hour reuse period. The separate shortlived profile will continue to issue extremely short-lived certificates of roughly six days.
Most Let’s Encrypt users with automated certificate issuance and renewal configured will not need to modify their setups. Nevertheless, the developers recommend ensuring that automation behaves correctly under shortened validity periods. As the foundational planning mechanism, they advise using ACME Renewal Information (ARI) — a feature that enables clients to receive precise renewal guidance directly from Let’s Encrypt. A separate guide has been published for integrating ARI into existing ACME clients.
If your ACME client does not yet support ARI, it is crucial to verify that the renewal schedule is compatible with a 45-day certificate lifespan. A fixed 60-day interval will no longer suffice. A safe rule of thumb is to renew at approximately two-thirds of the certificate’s lifetime. Manual renewal, Let’s Encrypt warns, will become even less practical, as it will need to be performed far more frequently.
Let’s Encrypt further recommends ensuring that your infrastructure includes monitoring capable of alerting you promptly to renewal issues. The organization provides a curated list of available monitoring solutions, which can serve as a useful starting point.
Because shorter certificate lifetimes and authorization reuse periods entail more frequent domain-control checks, Let’s Encrypt — together with partners in the CA/Browser Forum and the IETF — is developing a new DNS-based validation method. This DNS-PERSIST-01 approach allows the TXT record confirming domain control to remain unchanged across renewals. Administrators will be able to create the required record once and then renew certificates automatically without granting continuous DNS access to ACME clients.
Support for DNS-PERSIST-01 is expected in 2026, easing automation for organizations unwilling to provide automated clients with direct access to their web, TLS, or DNS servers. Persistent DNS records will also reduce reliance on short authorization reuse windows, as domain control will already be established via a stable TXT record with no further client action required.
Let’s Encrypt encourages users to follow future developments via its technical updates mailing list. Questions about implementing the new lifetimes and mechanisms may be raised in the Let’s Encrypt community forum.
Donate