Let’s Encrypt Drops to 45-Day Certs by 2028 – Automate Now

The Announcement: Every HTTPS Site Affected

Let’s Encrypt announced today (December 2, 2025) it will reduce SSL/TLS certificate validity from 90 days to 45 days by February 2028, following CA/Browser Forum requirements that affect every publicly-trusted Certificate Authority. With renewals jumping from 4 times per year to 8+, manual certificate management becomes impossible—automation isn’t optional anymore, it’s mandatory. Moreover, the change begins with an opt-in testing profile in May 2026, transitions to 64-day certificates in February 2027, and reaches the final 45-day lifetime by February 2028.

This isn’t a Let’s Encrypt quirk you can avoid by switching providers. Furthermore, DigiCert, GlobalSign, Sectigo, and every other CA must comply with the CA/Browser Forum’s mandate for 47-day certificates by March 2029. Whether you run a personal blog or manage enterprise infrastructure, your certificate workflow is changing. If your automation isn’t ready, you’ll face outages.

The Timeline: Three Phases You Can’t Ignore

Let’s Encrypt is implementing the change gradually to give developers time to adapt. On May 13, 2026, the `tlsserver` ACME profile will switch to issuing 45-day certificates as an opt-in testing option. This 18-month testing window before mandatory adoption is your chance to discover automation gaps in non-production environments. Consequently, organizations that skip this testing phase will regret it when certificates start failing in production.

February 10, 2027 brings the first mandated change: the default `classic` ACME profile drops to 64-day certificates with a 10-day domain validation reuse period. This is the “warning shot” phase—short enough to surface problems, long enough that most modern automation should handle it. Then on February 16, 2028, the final switch happens: 45-day certificates become mandatory with domain validation reuse shrinking from 30 days to just 7 hours.

That 7-hour reuse window is significant. Currently, you can validate domain control once and issue multiple certificates over 30 days. However, after February 2028, you have 7 hours. Systems that batch certificate operations or rely on slow DNS propagation will need redesign.

Industry-Wide Mandate: No Escape Routes

The CA/Browser Forum voted in April 2025—25 certificate issuers and all four major browser vendors (Google, Apple, Mozilla, Microsoft) in favor—to require 47-day maximum certificate lifetimes by March 2029. Let’s Encrypt is moving slightly faster to 45 days, but the outcome is the same: every Certificate Authority must comply.

Bought certificates from DigiCert for $200/year? They’re moving to 47 days by 2029. GlobalSign? Same timeline. That expensive Extended Validation certificate that currently lasts 13 months? It’ll be 47 days too. There is no premium tier that exempts you. There is no “enterprise exception.” Shorter certificate lifetimes are now the internet standard.

The industry justification is security: shorter validity periods limit breach windows if private keys are compromised and make certificate revocation practical. In theory, if someone steals your private key, it’s useless 45 days later. In practice, this forces infrastructure modernization whether you’re ready or not.

Automation Becomes Mandatory: Enter ARI

Eight renewals per year cannot be managed manually. You’ll miss one. Let’s Encrypt knows this, which is why they’re ending email expiration notifications on June 4, 2025. No more “Your certificate expires in 14 days” reminder emails—if your automation fails, you discover it when your website goes down.

The replacement is ACME Renewal Information (ARI), a new RFC 9773 standard that allows Certificate Authorities to signal optimal renewal windows directly to ACME clients. When Let’s Encrypt needs you to renew early—perhaps due to security issues or upcoming maintenance—ARI communicates that automatically. Your ACME client checks the renewal endpoint, sees “renew now,” and triggers the process. No human intervention required.

Popular ACME clients already support this. Certbot implements the 1/3-lifetime renewal rule by default: for 45-day certificates, it automatically triggers renewal at 15 days remaining. Additionally, web servers like Caddy, Traefik, and Nginx (which added native ACME support in August 2025) handle everything transparently. If you’re using modern tooling, the transition might be seamless. If you’re running custom scripts from 2016, you have work to do.

Here’s a critical detail most developers will miss: ARI-enabled renewals are exempt from Let’s Encrypt’s rate limits. Normally, you’re capped at 50 certificates per registered domain per week. With ARI, renewals within the suggested window are unlimited. This matters at 8x renewal frequency—without ARI, you risk hitting rate limits during peak periods.

What Breaks: Legacy Systems and Manual Workflows

Hardcoded renewal schedules are the first casualty. If you have a cron job set to renew certificates at 60 days, it won’t trigger for 45-day certificates until 15 days remain—cutting your safety margin in half. Scripts that assume 90-day validity will need updates. Furthermore, monitoring thresholds that alert at 14 days remaining should drop to 7 days for 45-day certificates.

Manual workflows—still common in small businesses, air-gapped networks, and IoT devices—can’t realistically handle 8 renewals per year. One developer put it bluntly: “Smaller organizations with limited IT resources will be disproportionately affected. Frequent renewals without automated systems increase the chances of certificate expiration and downtime.”

Shared hosting providers need to upgrade too. If you’re using cPanel, Plesk, or DirectAdmin for SSL management, your host must update their automation before February 2027. That’s not something you control. Ask them now whether they’re ready, because “we’ll update eventually” won’t prevent your site from going offline.

Then there are the edge cases: Docker containers with mounted certificate files don’t auto-reload when the host renews. Load balancers that sync certificates from origin servers need API-driven updates, not manual uploads. Moreover, development and staging environments that “nobody monitors” will start failing certificate validation mid-test. Every certificate in your infrastructure—production, staging, local dev, CI/CD runners—needs automation.

The Security vs. Operations Debate

Let’s Encrypt’s position is clear: “This change helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.” Security researchers agree. If an attacker steals your private key today with a 90-day certificate, they have 3 months of impersonation potential. With 45-day certificates, that drops to 6 weeks. Combine that with improved revocation workflows via ARI, and the security posture genuinely improves.

However, DevOps teams are asking uncomfortable questions. Why 45 days specifically? Why not 60 or 75 days, which would still improve security while reducing operational burden? The CA/Browser Forum vote was decisive (25-4), but community reactions on Hacker News show skepticism: some celebrate forced automation as overdue infrastructure hygiene, while others see this as vendors creating problems that require expensive enterprise certificate management solutions to solve.

One thing is certain: this change separates mature infrastructure from legacy systems. Organizations with automated deployment pipelines, infrastructure-as-code, and monitoring will handle 45-day certificates without noticing. Teams relying on tribal knowledge, manual processes, and “Steve remembers to renew it in March” are about to have a bad time. There’s no moral judgment here—it’s resource allocation. Small teams don’t have unlimited time to refactor certificate workflows. But physics doesn’t care about your budget, and neither do certificate expiration timers.

Key Takeaways

• Let’s Encrypt announced today (December 2, 2025) certificates will drop from 90 days to 45 days by February 2028
• ALL Certificate Authorities must comply (DigiCert, GlobalSign, Sectigo moving to 47 days by 2029)—no escape route
• Testing begins May 2026 with opt-in 45-day profile, mandatory transition February 2027 (64 days) then February 2028 (45 days)
• Manual renewal impossible at 8+ renewals per year—automation with ACME and ARI becomes mandatory
• Email expiration notifications end June 4, 2025—implement ARI monitoring NOW
• Audit ALL certificates (production, staging, dev), test automation in May 2026, eliminate manual workflows
• Hardcoded 60-day renewal schedules, legacy systems without ACME, and shared hosting without updates WILL break