Let\u2019s Encrypt Unveils New \u201cGeneration Y\u201d Root and 45-Day Certificates
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Let\u2019s Encrypt, the nonprofit certificate authority powering free TLS\/SSL certificates for millions of websites, announced sweeping updates to its issuance policies.<\/p>\n
The changes introduce a new \u201cGeneration Y\u201d root hierarchy, deprecate TLS client authentication, and progressively shorten certificate lifetimes to align with CA\/Browser Forum requirements.<\/p>\n
To ensure a smooth transition, Let\u2019s Encrypt leverages ACME profiles<\/a>, giving users control over rollout timing. For most, no immediate action is needed.<\/p>\n Central to the update is the \u201cGeneration Y\u201d hierarchy: two new Root CAs and six Intermediate CAs, cross-signed by the existing \u201cGeneration X\u201d roots (X1 and X2).<\/p>\n This maintains broad trust compatibility. The new intermediates omit the TLS Client Authentication Extended Key Usage (EKU), addressing an upcoming root program mandate. Let\u2019s Encrypt previously detailed plans to end TLS Client Auth support from February 2026.<\/p>\n Profile-specific timelines vary. Users on the default classic profile<\/a> switch to Generation Y on May 13, 2026. Those needing legacy TLS client auth can stick with the tlsclient profile, which remains on Generation X until May 2026.<\/p>\n Meanwhile,\u00a0TLS server\u00a0and\u00a0short-lived\u00a0profiles shift to Generation Y this week, enabling opt-in short-lived certificates with IP address support. This marks general availability for short-lived certs, aiding automated renewals and reducing exposure windows.<\/p>\n Shortening lifetimes complies with evolving CA\/Browser Forum<\/a> Baseline Requirements. Next year, early adopters will test 45-day certificates via tlsserver. Defaults drop to 64 days in 2027, then 45 days in 2028, as detailed in Let\u2019s Encrypt\u2019s lifetime reduction post<\/a>.<\/p>\n Timeline Overview<\/strong><\/p>\n