Let’s Encrypt will reduce certificate lifetimes in the coming years, moving from today’s 90-day validity to 45 days by 2028. The change aligns with the new CA/Browser Forum Baseline Requirements, which apply to all publicly trusted Certificate Authorities.
Shorter certificate lifetimes are intended to limit the impact of compromised keys and improve the effectiveness of revocation mechanisms. Alongside this shift, the authorization reuse period, the window during which previously validated domain control can be reused, will decrease from 30 days to just 7 hours.
The transition will happen in several stages to give users time to adapt. On May 13, 2026, the optional tlsserver ACME profile will begin issuing 45-day certificates for early adopters and testing. On February 10, 2027, the default classic profile will switch to 64-day certificates and a 10-day authorization reuse period.
The final step arrives on February 16, 2028, when the classic profile moves to 45-day certificates with a 7-hour reuse period. These changes affect only new certificates, so that users will see shorter validity during their next renewal after each milestone.
Most users relying on automated issuance will not need to make major adjustments, but verifying that existing automation can handle shorter lifetimes is essential. Let’s Encrypt recommends using ACME Renewal Information, which provides clients with guidance on when to renew.
For setups that do not yet support ARI, renewals should occur roughly two-thirds of the way through the certificate’s configured lifetime, rather than at fixed 60-day intervals. Manual renewals are discouraged, as shortening validity periods will require more frequent action. Let’s Encrypt also advises ensuring monitoring is in place to detect renewal failures promptly.
And lastly, something important. Let’s Encrypt is working with industry partners on a new challenge type called DNS-PERSIST-01. Unlike current methods, it will use a static DNS TXT record that does not need to be updated at every renewal. This approach removes the requirement for ACME clients to have direct access to DNS systems, enabling broader, simpler automation. The new challenge type is expected to become available in 2026.
For more information, see the official announcement.
