Upcoming Changes: Let's Encrypt Reduces Certificate Lifetimes and Introduces DNS-PERSIST-01

web security

Let's Encrypt is set to reduce certificate validity to 45 days and authorization reuse to 7 hours by 2028, aligning with new industry standards to enhance internet security. This update details the phased rollout, user actions required, and introduces the new DNS-PERSIST-01 validation method designed to streamline certificate automation.

Let's Encrypt will progressively reduce the validity period of its issued certificates. Currently, certificates are valid for 90 days, but this will be halved to 45 days by 2028.

This change aligns with industry-wide efforts, mandated by the CA/Browser Forum Baseline Requirements, which establish technical standards for all publicly-trusted Certificate Authorities (CAs) like Let's Encrypt. Shortening certificate validity periods enhances internet security by limiting the potential scope of compromise and improving the efficiency of certificate revocation technologies.

Furthermore, the authorization reuse period, which defines how long certificates can be issued for a domain after its control has been validated, is also being reduced. It currently stands at 30 days and will be shortened to 7 hours by 2028.

Timeline of Changes

To minimize disruption, Let's Encrypt will implement these changes in stages, utilizing ACME Profiles. These profiles, configured within your ACME client, offer control over when these changes take effect. For more details, refer to our blog post announcing ACME Profiles.

Changes will be deployed to the staging environment approximately one month prior to the production dates listed below:

  • May 13, 2026: Let's Encrypt will update its tlsserver ACME profile to issue 45-day certificates. This profile is opt-in, suitable for early adopters and testing.
  • February 10, 2027: The default classic ACME profile will transition to issuing 64-day certificates with a 10-day authorization reuse period. This will impact all users who have not opted into the tlsserver or shortlived (6-day) profiles.
  • February 16, 2028: The classic profile will be further updated to issue 45-day certificates with a 7-hour authorization reuse period.

These dates mark when the changes apply to new certificates. Let's Encrypt users will observe the reduced certificate validity period at their next renewal following these dates.

Action Required

Most users relying on automatic certificate issuance from Let's Encrypt will not need to make manual changes. However, it is crucial to verify that your automation systems are compatible with shorter-lived certificates.

To ensure timely renewals, we strongly recommend implementing ACME Renewal Information (ARI). ARI is a feature designed to help clients determine when certificate renewal is necessary. Consult your ACME client's documentation for instructions on enabling ARI, as the process varies. Client developers can find an integration guide for ARI.

If your client does not yet support ARI, confirm that its renewal schedule is compatible with 45-day certificates. For instance, a hardcoded 60-day renewal interval will no longer suffice. Acceptable behavior includes renewing certificates approximately two-thirds of the way through their current lifetime.

Manual certificate renewal is discouraged due to the increased frequency required by shorter certificate lifetimes.

We also advise implementing robust monitoring systems to alert you if certificates are not renewed as expected. Various options are available, some of which are detailed on our Monitoring Service Options page.

Enhancing Automation with a New DNS Challenge Type

For many users, the most challenging aspect of automated certificate issuance is proving domain control. Shorter certificate lifetimes and reduced authorization reuse periods necessitate more frequent domain control demonstrations.

Current validation methods demand that the ACME client has live access to your infrastructure, whether to serve the correct HTTP-01 token, perform the TLS-ALPN-01 handshake, or update the DNS-01 TXT record. Users have long sought a method to run an ACME client without granting it access to these sensitive systems.

Addressing these challenges, we are collaborating with partners at the CA/Browser Forum and IETF to standardize a new validation method: DNS-PERSIST-01. The primary benefit of this method is that the DNS TXT entry used for domain control validation does not need to change with every renewal.

This innovation allows you to configure the DNS entry once and then automate certificate renewals without requiring continuous automatic DNS updates. This will enable more users to automate their renewals and reduce reliance on authorization reuse, as DNS records can remain unchanged without further ACME client intervention.

We anticipate DNS-PERSIST-01 will be available in 2026, with further announcements to follow.

Stay Informed

For additional updates, reminders, and future changes, subscribe to our technical updates mailing list. For questions, please visit our community forum. To learn more about Let's Encrypt's work and projects, read our Annual Report, published today.