{"id":8895,"date":"2025-12-03T10:03:35","date_gmt":"2025-12-03T10:03:35","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/03\/lets-encrypt-to-reduce-certificate-validity-from-90-days-to-45-days\/"},"modified":"2025-12-03T10:03:35","modified_gmt":"2025-12-03T10:03:35","slug":"lets-encrypt-to-reduce-certificate-validity-from-90-days-to-45-days","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/03\/lets-encrypt-to-reduce-certificate-validity-from-90-days-to-45-days\/","title":{"rendered":"Let\u2019s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days"},"content":{"rendered":"<p>    Let\u2019s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Let\u2019s Encrypt has officially announced plans to reduce the maximum validity period of its <a href=\"https:\/\/cybersecuritynews.com\/protecting-ssl-tls-certificates\/\" target=\"_blank\" rel=\"noreferrer noopener\">SSL\/TLS certificates<\/a> from 90 days to 45 days.<\/p>\n<p>The transition, which will be completed by 2028, aligns with broader industry shifts mandated by the CA\/Browser Forum Baseline Requirements.<\/p>\n<p>This move is designed to enhance internet security by limiting the window of compromise for stolen credentials and improving the efficiency of certificate revocation technologies.<\/p>\n<p>In addition to shortening certificate lifespans, the <a href=\"https:\/\/cybersecuritynews.com\/certificate-based-authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Certificate Authority (CA)<\/a> will drastically reduce the \u201cauthorization reuse period,\u201d the duration for which a validated domain control remains active before re-verification is required.<\/p>\n<p>Currently set at 30 days, this period will shrink to just 7 hours by the final rollout phase in 2028.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-let-s-encrypt-validation-rollout-timeline\"><strong>Let\u2019s Encrypt Validation Rollout Timeline<\/strong><\/h2>\n<p>To minimize service disruption for millions of websites, Let\u2019s Encrypt is using ACME Profiles to stagger deployments. The changes will first be introduced via opt-in profiles before becoming the default standard for all users.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Date<\/th>\n<th>ACME Profile<\/th>\n<th>Policy Change<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>May 13, 2026<\/strong><\/td>\n<td>tlsserver (Opt-in)<\/td>\n<td>Profile switches to issuing 45-day certificates. Intended for testing and early adopters.<\/td>\n<\/tr>\n<tr>\n<td><strong>Feb 10, 2027<\/strong><\/td>\n<td>classic (Default)<\/td>\n<td>Default issuance moves to 64-day certificates with a <strong>10-day<\/strong> authorization reuse period.<\/td>\n<\/tr>\n<tr>\n<td><strong>Feb 16, 2028<\/strong><\/td>\n<td>classic (Default)<\/td>\n<td>Full enforcement of <strong>45-day<\/strong> certificates with a <strong>7-hour<\/strong> authorization reuse period.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>While most automated environments will handle these changes seamlessly, the shortened validity period necessitates a review of current renewal configurations.<\/p>\n<p>Administrators relying on hardcoded renewal intervals, such as a cron job running every 60 days, will face outages, as certificates will expire before the renewal triggers.<\/p>\n<p>Let\u2019s Encrypt advises that acceptable client behavior involves renewing certificates approximately two-thirds of the way through their lifetime.<\/p>\n<p>To facilitate this, the organization recommends enabling <a href=\"https:\/\/cybersecuritynews.com\/lets-encrypt-6-day-certificates\/\" target=\"_blank\" rel=\"noreferrer noopener\">ACME Renewal<\/a> Information (ARI), a feature that allows the CA to signal precisely when a client should renew.<\/p>\n<p>Manual certificate management is strongly discouraged, as the administrative burden of renewing every few weeks increases the likelihood of human error and expired certificates.<\/p>\n<p>The reduction in authorization reuse means clients must prove domain control more frequently. To address the friction this causes for users who cannot easily automate DNS updates, Let\u2019s Encrypt is collaborating with the IETF to standardize a new validation method: DNS-PERSIST-01.<\/p>\n<p>Expected to launch in 2026, this protocol allows for a static DNS TXT entry. Unlike the current DNS-01 challenge, which requires a new token for every renewal, DNS-PERSIST-01 permits the initial verification record to remain unchanged.<\/p>\n<p>This development will enable automated renewals for infrastructure where dynamic DNS updates are restricted or technically difficult, reducing the reliance on cached authorizations.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/lets-encrypt-45-days-certificate\/\">Let\u2019s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/lets-encrypt-45-days-certificate\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Let\u2019s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days Let\u2019s Encrypt has officially announced plans to reduce the maximum validity period of its SSL\/TLS certificates from 90 days to 45 days. The transition, which will be completed by 2028, aligns with broader industry shifts mandated by the CA\/Browser Forum Baseline Requirements. This [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,1263],"tags":[130],"class_list":["post-8895","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-ssl","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8895"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8895"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8895\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}