Security Tightens: Let’s Encrypt Will Cap Certificate Validity at 45 Days by 2028

Apple previously submitted a proposal to the CA/Browser Forum — the industry body governing certificate authorities and browser vendors — recommending that, for security reasons, the maximum validity of digital certificates be reduced from 398 days to just 45 days. After discussion, the forum agreed on a slightly longer limit of 47 days, meaning that in the future, all publicly trusted certificates (except root certificates) will be capped at that duration.

In response, Let’s Encrypt has announced that it will gradually shorten the validity of its certificates in order to comply with the Forum’s baseline requirements. By 2028, every certificate issued by Let’s Encrypt will have a maximum lifetime of 45 days.

The transition will follow this schedule:

• Starting 13 May 2026:
  Let’s Encrypt will switch the tlsserver ACME profile to a 45-day certificate validity. This phase is optional and intended solely for testing.
• Starting 10 February 2027:
  The default “classic” ACME profile will move to a 64-day certificate validity, with a 10-day authorization reuse period.
• Starting 16 February 2028:
  The default “classic” ACME profile will adopt a 45-day validity period, making this the maximum lifetime for all newly issued certificates.

Today, once a domain is validated, it may be used to obtain certificates for up to 30 days. By 2028, that window will shrink dramatically to just 7 hours. If a certificate is not issued within those seven hours, domain control must be revalidated before issuance can proceed.

Most users relying on fully automated issuance, renewal, and deployment workflows will not need to make changes. However, they should confirm that their automation is compatible with significantly shorter certificate lifetimes.

To ensure ACME clients can renew certificates on time, users are encouraged to adopt ACME Renewal Information (ARI) — a feature designed to signal when renewal is needed. Consult your ACME client’s documentation for instructions on enabling ARI.

If a client does not support ARI, you must guarantee that your renewal interval aligns with 45-day validity. For example, a 60-day renewal cycle would cause certificates to expire before renewal occurs. A safe rule is to renew around two-thirds of the way through the certificate’s lifetime — roughly day 30 for a 45-day certificate.

Let’s Encrypt strongly discourages manual renewals. As certificate lifetimes shrink, renewal frequency rises, increasing the likelihood of human error — and any oversight could result in service outages.

Related Posts:

• SSL Certificate Validity Reduced to 47 Days After Apple Proposal
• NGINX Makes HTTPS Easier Than Ever with New ACME Module
• Let’s Encrypt introduced ACME v2 protocol and wildcard support for testing