SSL Calendar Logo SSLCalendar
Let's Encrypt Moves to 45-Day Certificates on May 13

Let's Encrypt Moves to 45-Day Certificates on May 13

On May 13, 2026, Let's Encrypt will begin issuing 45-day certificates, forcing automation for all users. Here's what you need to do to prepare.

In one week, Let’s Encrypt starts pushing certificate lifetimes down hard. Starting May 13, 2026, the nonprofit certificate authority will switch its tlsserver ACME profile to issue 45-day certificates—the shortest-lived public certificates ever issued at scale. For early adopters and testing environments, this change is optional. For everyone else, the message is blunt: automate this or eventually miss one.

What’s Changing on May 13

Let’s Encrypt is rolling out the 45-day certificates through its tlsserver ACME profile, which is available for early adopters to opt into immediately. Think of it as the test lane before the wider rollout.

Here’s the timeline:

  • May 13, 2026 (this week): tlsserver ACME profile switches to 45-day certificates (opt-in)
  • February 10, 2027: Let’s Encrypt will switch its classic ACME profile to 64-day certificates with 10-day authorization reuse
  • February 16, 2028: Further update to 45-day certificates with 7-hour authorization reuse (default)

Why This Matters

A 45-day certificate validity period means you must renew your certificates roughly eight times per year. For any organization relying on manual certificate renewal processes—or worst-case, manual issuance and installation—this is unsustainable.

  • Automation is mandatory: You cannot manually renew certificates every 45 days without eventually missing a deadline.
  • No room for error: With shorter validity periods, a missed renewal means your website goes down, fast.
  • Compliance risk: If you’re running unmonitored internal services or legacy systems, they’ll expire silently.
  • Operational burden: Teams without proper tooling will struggle to manage inventory, renewals, and monitoring across dozens or hundreds of certificates.

Let’s Encrypt serves roughly half of all publicly trusted SSL certificates. When it changes defaults, the rest of the web has to pay attention. The CA/Browser Forum has already mandated the same direction; Let’s Encrypt is just getting there early.

The Industry Context

This isn’t happening in isolation. The CA/Browser Forum voted in April 2025 (Ballot SC-081v3) to compress certificate lifetimes aggressively:

  • March 15, 2026 (already in effect): Maximum validity reduced from 398 days to 200 days
  • March 15, 2027: Further reduced to 100 days
  • March 15, 2029: Final deadline of 47 days for all TLS certificates

Let’s Encrypt is accelerating this timeline. By moving to 45 days before 2029, they’re pushing the industry to automate sooner rather than later.

What You Need to Do

If you use Let’s Encrypt:

  • Check your automation: Verify that your ACME client is configured to renew before expiration. Most modern clients (certbot, acme.sh, Caddy, nginx, Apache with mod_md) handle this automatically.
  • Test early: Don’t wait until February 2027 when classic profiles change. Migrate to the tlsserver profile and test with 45-day certificates now.
  • Monitor for renewal failures: Even with automation, things break. Set up monitoring and alerts for certificate expiration dates so you catch failures immediately.
  • Review internal infrastructure: Check for non-web services, internal APIs, or IoT devices that use certificates. Many of these aren’t automated.

If you use another CA:

Even if you’re not on Let’s Encrypt, your CA is likely considering shorter lifetimes. Be proactive: audit your certificate inventory, verify your renewal processes, and ensure monitoring is in place. The industry standard will be 47 days by 2029.

Why This Is Good (Yes, Really)

Shorter certificate lifetimes reduce the window of exposure if a certificate is compromised or mis-issued. They also reduce the impact of revocation failures—if a certificate is only valid for 45 days, even if revocation infrastructure is down, the certificate expires within weeks. Automation also reduces human error, which is how most certificate outages happen.

But there’s no denying the operational cost. Teams without modern tooling will struggle.

Lessons from History

Forgotten certificate renewals have already taken down Microsoft Teams, Spotify integrations, Alaska Airlines systems, and plenty of smaller services nobody wrote a postmortem about. Shorter certificates help only if renewal is automated and monitored.

Prepare Before May 13

You have one week before the tlsserver profile switches. If you’re running Let’s Encrypt in production, now is the time to:

  • Test your ACME client and renewal scripts
  • Verify your monitoring is working
  • Document your certificate inventory
  • Train your team on the new process (or automate it if you haven’t already)

If you do not already have a reliable expiry view, SSLcalendar.com gives you calendar-based reminders. For broader TLS checks and vulnerability scanning, SSLboard.com can survey the whole portfolio.

Sources: Let’s Encrypt - Decreasing Certificate Lifetimes to 45 Days, DigiCert - TLS Certificate Lifetimes Will Officially Reduce to 47 Days, Sectigo - 200-Day SSL/TLS Certificate Lifespans