SoylentNews is people
SoylentNews
Submission Preview
Let’s Encrypt to Reduce Certificate Validity From 90 Days to 45 Days
████ # This file was generated bot-o-matically! Edit at your own risk. ████
Let’s Encrypt to Reduce Certificate Validity from 90 Days to 45 Days [cybersecuritynews.com]:
Let’s Encrypt has officially announced plans to reduce the maximum validity period of its SSL/TLS certificates [cybersecuritynews.com] from 90 days to 45 days.
The transition, which will be completed by 2028, aligns with broader industry shifts mandated by the CA/Browser Forum Baseline Requirements.
This move is designed to enhance internet security by limiting the window of compromise for stolen credentials and improving the efficiency of certificate revocation technologies.
In addition to shortening certificate lifespans, the Certificate Authority (CA) [cybersecuritynews.com] will drastically reduce the “authorization reuse period,” the duration for which a validated domain control remains active before re-verification is required.
Currently set at 30 days, this period will shrink to just 7 hours by the final rollout phase in 2028.
Let’s Encrypt Validation Rollout Timeline
To minimize service disruption for millions of websites, Let’s Encrypt is using ACME Profiles to stagger deployments. The changes will first be introduced via opt-in profiles before becoming the default standard for all users.
While most automated environments will handle these changes seamlessly, the shortened validity period necessitates a review of current renewal configurations.
Administrators relying on hardcoded renewal intervals, such as a cron job running every 60 days, will face outages, as certificates will expire before the renewal triggers.
Let’s Encrypt advises that acceptable client behavior involves renewing certificates approximately two-thirds of the way through their lifetime.
To facilitate this, the organization recommends enabling ACME Renewal [cybersecuritynews.com] Information (ARI), a feature that allows the CA to signal precisely when a client should renew.
Manual certificate management is strongly discouraged, as the administrative burden of renewing every few weeks increases the likelihood of human error and expired certificates.
The reduction in authorization reuse means clients must prove domain control more frequently. To address the friction this causes for users who cannot easily automate DNS updates, Let’s Encrypt is collaborating with the IETF to standardize a new validation method: DNS-PERSIST-01.
Expected to launch in 2026, this protocol allows for a static DNS TXT entry. Unlike the current DNS-01 challenge, which requires a new token for every renewal, DNS-PERSIST-01 permits the initial verification record to remain unchanged.
This development will enable automated renewals for infrastructure where dynamic DNS updates are restricted or technically difficult, reducing the reliance on cached authorizations.
Follow us on Google News [google.com], LinkedIn [linkedin.com], and X [x.com] for daily cybersecurity updates. Contact us [cybersecuritynews.com] to feature your stories.
;
