Let’s Encrypt Slashes Certificate Lifespans and Sunsets mTLS on May 13

Mark your calendars, system administrators and DevSecOps teams: May 13, 2026, is going to be a busy day for certificate management.

Let’s Encrypt, the world’s most ubiquitous free certificate authority, has announced a triple-threat update to its ACME profiles hitting production all at once. Whether you are an early adopter of short-lived certificates or relying on classic infrastructure, these changes will impact how your automated TLS environments operate.

Here is a breakdown of the three major updates deploying on May 13 and what you need to do to prepare.

1. The 45-Day Countdown Begins (tlsserver Profile)

The push for shorter certificate lifespans is officially gaining momentum. On May 13, the tlsserver ACME profile will officially switch to issuing 45-day certificates.

Currently, this profile is completely opt-in and designed specifically for early adopters who want to stress-test their automation pipelines. However, this is the opening salvo in Let’s Encrypt’s overarching strategy to cut certificate lifetimes in half. As outlined in their previously announced roadmap, “Decreasing Certificate Lifetimes to 45 Days,” this opt-in phase is the first major milestone in a mandatory two-year transition for the entire ecosystem.

If you haven’t automated your renewals yet, the clock is ticking faster. Early adopters should opt in now to ensure their ACME clients can handle the accelerated renewal cadence gracefully.

2. The Sunset of TLS Client Authentication (tlsclient Profile)

Let’s Encrypt is officially winding down its support for TLS Client Authentication Certificates.

Starting May 13, the tlsclient ACME profile will be locked down. It will only be available to existing ACME accounts that have previously requested a certificate using that specific profile. No new accounts will be granted access.

This freeze is a temporary grace period. The profile is slated for complete deprecation on July 8, 2026.

If your infrastructure currently relies on Let’s Encrypt for client-side authentication (mTLS), you have less than two months to migrate to an alternative internal PKI or a commercial certificate authority.

3. Enter the “Generation Y” Intermediates (classic Profile)

For the vast majority of users relying on standard website certificates, the classic ACME profile is getting a backend upgrade.

On May 13, the classic profile will transition to using Let’s Encrypt’s new “Generation Y” intermediates. Fortunately, this upgrade is designed to be seamless. The new Generation Y intermediates will chain directly to the existing X1 and X2 roots that are already globally trusted across browsers and operating systems.

Because the root of trust remains the same, this transition should not introduce any compatibility issues for your users or applications. It is a purely infrastructural modernization on Let’s Encrypt’s end.

You do not have to wait until May 13 to see how these changes will affect your automated pipelines. Let’s Encrypt has confirmed that all three of these changes are currently live in their staging environment.

Security teams are highly encouraged to point their ACME clients to the staging API this week to verify that their systems can handle the new Generation Y intermediates and, for the brave early adopters, the new 45-day lifecycle of the tlsserver profile.