The Let's Encrypt initiative is a popular, free, automated, and open certificate authority that provides TLS certificates free of charge. Let's Encrypt announced that it will reduce the certificate lifetime from 90 days to 45 days!
Let’s Encrypt will be reducing the validity period of the certificates from currently 90 days down to 45 days by 2028.
Let's Encrypt explains the need of this change as follows: "This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements*, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.".
Furthermore, Let's Encrypt will also reduce the authorization reuse period, which is the length of time after validating domain control that Let's Encrypt allows certificates to be issued for that domain. It is currently 30 days and will be reduced to 7 hours by 2028.
Timeline for the change
Let’s Encrypt will roll this change out in multiple stages:
- May 13, 2026: Let’s Encrypt will switch the tlsserver* ACME profile to issue 45-day certificates. This profile is opt-in and can be used by early adopters and for testing.
- February 10, 2027: Let’s Encrypt will switch the default classic* ACME profile to issuing 64-day certificates with a 10-day authorization reuse period. This will affect all users who have not opted into the tlsserver* or shortlived* (6-day) profiles.
- February 16, 2028: Let's Encrypt will further update the classic* profile to issue 45-day certificates with a 7 hour authorization reuse period.
More information
More information is available in a post on the Let's Encrypt website: https://letsencrypt.org/2025/12/02/from-90-to-45
* This link leads to an external website outside our influence and control.
