The 45-Day Era Begins: Let’s Encrypt Unveils Generation Y Hierarchy and IP-Based TLS
Ddos 
Free digital certificate authority Let’s Encrypt recently announced in a blog post its transition from the X-generation root certificate hierarchy to the Y-generation certificate architecture. This change introduces two new root CA certificates and six intermediate certificates, all of which will be cross-signed by the existing X-generation root certificates, X1 and X2.
From a client trust perspective, Y-generation certificates are functionally equivalent to their X-generation predecessors. Any client that already trusts X-generation certificates will also trust Y-generation certificates, with the exception of certain legacy Android versions. Most modern operating systems and platforms will recognize the new hierarchy without issue. ACME profiles are currently undergoing a transitional adjustment, and as of May 13, 2026, they will default to the new Y-generation certificate chain. However, due to upcoming root program requirements, the new intermediate certificates will not include the TLS client authentication extended key usage.
As a result, beginning in February 2026, Let’s Encrypt will discontinue support for TLS client authentication. Users who encounter difficulties or require additional time to migrate to the Y-generation hierarchy may continue using the tlsclient profile until May 2026, after which adoption of the new configuration will be mandatory.
Starting this week, some users will begin receiving newly issued Y-generation certificates. This rollout also marks the official launch of Let’s Encrypt’s short-lived certificates, including support for issuing certificates directly to IP addresses—enabling TLS certificates to be obtained without reliance on domain names.
The issue of shortened certificate lifetimes has been discussed previously. Under a consensus reached within the CA/Browser Forum, the maximum validity period for digital certificates will be capped at 47 days. Accordingly, certificates issued by Let’s Encrypt will carry a maximum validity of 45 days. Beginning in 2026, early adopters will be able to select these 45-day certificates via their configuration profiles.
By 2027, Let’s Encrypt will set the default validity of all issued certificates to a maximum of 64 days, with a further reduction to 45 days planned for 2028. Ultimately, whether issued by Let’s Encrypt or other certificate authorities, the maximum lifetime of TLS certificates across the industry will not exceed 47 days.
Donate