Let’s Encrypt, the free certificate authority that helped bring HTTPS to almost every corner of the web, is preparing one of the biggest changes in its history. By 2028, every certificate it issues will have a maximum lifetime of just 45 days, half of the current 90-day limit.
This isn’t a random decision, nor is Let’s Encrypt acting alone. The move is part of a broader industry shift led by the CA/Browser Forum, the body that sets the rules for certificate authorities and browser makers. After a push from Apple to reduce maximum certificate lifetimes from 398 days to just 45, the Forum agreed on a strict new cap of 47 days for most publicly trusted certificates. Let’s Encrypt, which was already far more conservative than that, is now aligning with the new baseline.
Behind the technical terms, there’s a simple message:
👉 Certificates will expire much faster, and automation will no longer be optional — it will be essential.
First, a quick reminder: what is a certificate and why does it matter?
When you visit a website that starts with https://, your browser checks a digital certificate to confirm two things:
- That you’re really talking to the server that owns that domain.
- That the connection is encrypted so no one can eavesdrop or tamper with the data.
Let’s Encrypt issues these certificates for free and at massive scale, which is why it has been so important to the modern web.
Every certificate has an expiration date. Once it expires, browsers will start showing warnings like “Your connection is not private” or “This site’s certificate has expired.” That’s why renewals are so critical.
From 90 days down to 45: the new timeline
Today, Let’s Encrypt issues certificates that are valid for 90 days. By 2028, that will be down to 45 days for all newly issued certificates. The rollout will happen in several phases to give users and tools time to adapt:
- May 13, 2026
Let’s Encrypt will switch thetlsserverACME profile (an optional, opt-in profile) to a 45-day certificate lifetime. This is mainly for testing and early adopters. - February 10, 2027
The default “classic” ACME profile — what most users rely on today — will move to 64-day certificates, with a 10-day authorization reuse period. - February 16, 2028
The default “classic” profile will be updated again to issue 45-day certificates with an authorization reuse window of only 7 hours. From this point on, 45 days becomes the effective maximum lifetime for Let’s Encrypt certificates.
If you use Let’s Encrypt, you won’t see these new lifetimes until your next renewal after each date. But once the 45-day phase kicks in, certificates will be expiring more than twice as fast as they do today.
Domain validation: from 30 days down to just 7 hours
There’s another important change that sits behind the scenes but has big practical consequences: how long Let’s Encrypt will accept a domain validation before it has to be redone.
Right now, once you prove you control a domain (by responding to a challenge over HTTP, TLS, or DNS), that validation can be reused for up to 30 days to issue certificates.
By 2028, that authorization reuse period will shrink to just 7 hours.
In plain language:
- Your system will have a much shorter window in which it can issue a certificate after validating a domain.
- If that window closes, the client will need to re-prove control of the domain before the certificate can be issued.
For well-configured automated systems, this is manageable. For manual or half-automated workflows, it’s a recipe for frequent failures and unexpected outages.
Will this break most websites? For many, the answer is “no” — if automation is in place
Let’s Encrypt is very clear on one thing:
Most users who already rely on fully automated certificate issuance and renewal should not need to make major changes.
If your hosting provider, control panel, or ACME client already:
- Requests and installs certificates automatically
- Renews them well before they expire
- Doesn’t rely on a fixed “60-day renewal” schedule
…then you’re probably fine — but it’s still wise to double-check.
However, if any of these describe your current setup, you are in the danger zone:
- You renew certificates manually from time to time.
- You log into a panel and click a button when you remember.
- You have a script that renews every 60 days, hard-coded and forgotten.
With a 90-day certificate, renewing every 60 days works.
With a 45-day certificate, that same schedule guarantees expiration before renewal.
The safe pattern with short-lived certificates is to renew at about two-thirds of their lifetime, which means around day 30 for a 45-day certificate.
ARI: letting Let’s Encrypt tell clients when to renew
To make this new world less brittle, Let’s Encrypt is encouraging users and client developers to adopt a feature called ACME Renewal Information (ARI).
In simple terms, ARI lets the certificate authority say:
“For this specific certificate, here’s when you should renew.”
Instead of guessing a renewal interval (like “every 30 days”), the ACME client can ask Let’s Encrypt when it is appropriate to renew and follow that guidance.
What you should do as a user:
- Check your ACME client’s documentation (Certbot, acme.sh, built-in tools in your panel, etc.) to see if it supports ARI.
- Enable it if possible.
- If your client doesn’t support ARI yet, make sure it runs often enough, and that its renewal logic is compatible with a 45-day lifetime.
Why shorter certificates improve security
All of this effort isn’t just to make administrators’ lives more complicated. There are real security benefits:
- If a private key is stolen, the damage window is smaller
If an attacker gets hold of your private key, they can impersonate your website until the certificate expires (or is revoked). With long-lived certificates, that can be many months. With 45-day certificates, the maximum window is much shorter — especially if you renew early and rotate keys. - Less dependence on imperfect revocation systems
In theory, browsers can check whether a certificate has been revoked (via CRLs or OCSP). In practice, these systems are complex, slow, and not always enforced. Short-lived certificates reduce the risk of long-term misuse even if revocation doesn’t work perfectly. - More frequent key rotation becomes the norm
Shorter lifetimes mean keys are replaced more often. That’s good hygiene in a world where attacks and leaks are increasingly common.
In other words, short-lived certificates trade a bit of operational friction (which automation can solve) for a noticeable gain in security.
A new DNS challenge type to make automation easier
One of the hardest parts of automating certificate issuance is the validation step: proving that you control the domain. Today’s methods (HTTP-01, TLS-ALPN-01, DNS-01) require that the ACME client can:
- Serve specific content on your web server, or
- Perform a special TLS handshake, or
- Update DNS TXT records automatically.
For many organizations, giving an ACME client direct access to web servers or DNS is uncomfortable or operationally complex.
To address this, Let’s Encrypt is working with the CA/Browser Forum and the IETF on a new DNS-based method called DNS-PERSIST-01. The key idea:
- You create a DNS TXT record once.
- That single, persistent record can be reused for future renewals.
- You don’t need to update DNS every time a certificate is renewed.
If this standard lands as planned (Let’s Encrypt expects it around 2026), it could make life much easier for organizations that want automation without giving automated tools full control over DNS.
What you should do now if you use Let’s Encrypt
Even though the strict 45-day phase doesn’t arrive until 2028, now is the right time to get ready. Practical steps include:
- Audit your certificate setup
Check where your Let’s Encrypt certificates are used (websites, APIs, mail servers, reverse proxies, etc.) and how they’re renewed today. - Eliminate manual renewals
If you still have any process where a human has to click a button or run a command, treat that as technical debt. Move to automatic issuance and deployment. - Check your ACME client configuration
- Is the renewal interval hard-coded to 60 days? Change it.
- Can it support ARI? Turn it on once available.
- Does it handle failures gracefully and retry often enough?
- Add monitoring and alerts
Use monitoring tools that check certificate expiration dates and alert you well before anything gets close to expiring. Don’t rely only on browser warnings.
If you do this homework over the next months, the shift to 45-day certificates will be largely invisible — your systems will simply keep renewing on time.
If you don’t, you may find yourself in 2028 with a website that goes “Not secure” more often than you’d like.
FAQs: Let’s Encrypt and 45-Day Certificates
Why is Let’s Encrypt reducing certificate lifetimes to 45 days?
Because the CA/Browser Forum is tightening industry rules for security reasons, and all publicly trusted certificate authorities must comply. Shorter lifetimes limit how long a compromised certificate can be abused and reduce reliance on revocation systems that don’t always work perfectly.
Will my website break when Let’s Encrypt moves to 45-day certificates?
If your site already uses fully automated issuance and renewal (through your hosting provider, panel, or ACME client), you may not notice the change at all. However, you should still verify that your automation doesn’t rely on long renewal intervals, like “every 60 days,” which will no longer be safe.
What happens if my certificate expires because I didn’t adapt in time?
Visitors will see browser warnings indicating that the connection is not secure, and some browsers may block access entirely unless the user bypasses the warning. This can hurt trust, conversions, and your brand image. In some corporate environments, expired certificates can break integrations and internal tools outright.
Do I need to stop renewing Let’s Encrypt certificates manually?
Yes, that’s strongly recommended. With 45-day certificates, manual renewal becomes risky and error-prone. You’ll have to renew much more often, and any oversight could result in downtime. Moving to fully automated ACME-based issuance and renewal is the safest and most future-proof approach.
Source: letsencrypt.org