Key Updates to Let's Encrypt Certificates: New Roots, Authentication Changes, and Shorter Lifetimes
Let's Encrypt introduces new 'Generation Y' roots, phases out TLS client authentication, and shortens certificate lifetimes. ACME profiles manage transitions, with validity reducing to 45 days by 2028. Most users require no action; a profile switch is delayed.
Let's Encrypt is implementing several significant updates to its certificate issuance process. These changes include the introduction of new root certificates, the deprecation of TLS client authentication, and a reduction in certificate lifetimes. To facilitate a gradual rollout, Let's Encrypt will leverage ACME profiles, offering users control over the timing of some of these transitions. For the majority of users, no immediate action is required.
Let's Encrypt has developed two new Root Certification Authorities (CAs) and six new Intermediate CAs, collectively referred to as the "Generation Y" hierarchy. These new CAs are cross-signed by the existing "Generation X" roots (X1 and X2), ensuring continued trust wherever the current roots are accepted.
Most users obtain certificates through the default classic profile, unless they have opted for an alternative. This classic profile will transition to the new Generation Y hierarchy on May 13, 2026. Importantly, these new intermediates will not include the "TLS Client Authentication" Extended Key Usage, a requirement stemming from upcoming root program guidelines. Let's Encrypt previously announced its intention to end TLS Client Authentication starting February 2026, a timeline that aligns with the Generation Y hierarchy switch. Users who encounter issues or require an extended transition period can utilize the tlsclient profile until May 2026; this profile will continue to use the existing Generation X roots.
For those requesting certificates via the tlsserver or shortlived profiles, certificates from the Generation Y hierarchy will begin to appear this week. This marks the opt-in general availability of short-lived certificates from Let's Encrypt, including support for IP addresses on certificates.
Furthermore, Let's Encrypt has outlined its compliance timeline for impending CA/Browser Forum Baseline Requirements, which mandate a reduction in certificate validity periods. Next year, early adopters and testers will have the option to opt-in to 45-day certificates through the tlsserver profile. In 2027, the default certificate lifetime will decrease to 64 days, followed by a further reduction to 45 days in 2028. For comprehensive details on this timeline, please refer to the dedicated post on decreasing certificate lifetimes to 45 days.
While most users will not need to take immediate action, it is highly recommended to review the linked blog posts for a deeper understanding of these changes. Questions can be addressed on this forum.
Update: The previously announced Generation Y switch for the tlsserver and shortlived profiles has been postponed to January 7, 2026. This delay is necessary to accommodate additional internal changes required for a smooth transition, which will occur after Let's Encrypt's end-of-year deployment freeze.