Abstract
The CA/Browser Forum set 47-day certificates as target for 2029. Let’s Encrypt decided to implement it a year earlier.
In December 2025, Let’s Encrypt announced their roadmap to cut certificate lifetimes from 90 days to 45 days by February 2028, a full year ahead of the industry mandate.
It’s exactly what we’d expect from the CA that made automation mandatory from day one.
The timeline
Right now, Let’s Encrypt certificates are valid for 90 days with a 30-day authorization reuse period. That means once you prove you control a domain, you can issue certificates for it without re-validating for the next month.
Here’s how that’s changing:
- May 2026: You can opt-in to 45-day certificates for early adopters and anyone who wants to test their automation can switch now.
- February 2027: Certificate lifetimes drop to 64-days and 10-day authorization reuse.
- February 2028: Certificate lifetimes drop to 45-day with 7-hour authorization reuse. This is the new normal.
Let’s Encrypt is giving you staging environment access about a month before each production date.
Why Let’s Encrypt is going first
Let’s Encrypt was built for automation. They’ve always assumed you’re not manually renewing certificates. Their entire architecture, from the ACME protocol to rate limits to their support model, assumes automated clients.
If your renewals are already automated, going from 90 days to 45 days or even 6 days is trivial detail. Your client just runs slightly more often.
The people who will struggle are the ones who were never really automated in the first place. The ones running certbot manually every few months. The ones with “renew certificates” as a recurring calendar reminder. We can help you.
Authorization reuse is the bigger change
Certificate lifetime gets all the headlines, but authorization reuse going from 30 days to 7 hours is arguably more disruptive.
Today, you can validate a domain and issue multiple certificates over the next month without re-validating. Need a cert for staging? Already validated. Spinning up a new subdomain? Already validated. That flexibility disappears.
With 7-hour authorization reuse, every certificate request essentially requires fresh validation. If your automation assumes you can batch certificate operations across a day, that breaks.
That’s why delegated DNS validation is important. It lets you offload the constant work updating your validation tokens to a dedicated service (like CertKit). You just set up a CNAME once, and your certificate service handles the TXT record updates without needing your DNS credentials.
DNS-PERSIST-01 makes it even easier, letting you set a single DNS record for the entire domain. The new validation method lets you authorize a CA once and skip re-validation entirely. Let’s Encrypt committed to implementing it in 2026, explicitly as an enabler for shorter certificate lifetimes.
What you need to do
If you’re running a modern Certbot with default settings, you’re probably fine. Certbot 4.1.0 (released June 2025) added support for ACME Renewal Information (ARI), which lets the CA tell your client when to renew. With ARI enabled, Certbot automatically adjusts to whatever certificate lifetime Let’s Encrypt issues.
Check your version:
certbot --version
If you’re below 4.1.0, it’s time to upgrade. Or better yet, switch to centralized certificate automation.
The thing that will break you is hardcoded renewal intervals. If your automation says “renew every 60 days” regardless of certificate lifetime, that stops working in February 2028. A 45-day certificate renewed at 60 days is an expired certificate.
CertKit and the 45-day future
CertKit uses Let’s Encrypt as our preferred certificate issuer. When their timelines change, our renewal cycles adapt automatically. You won’t need to reconfigure anything.
We’ve added ARI support to our roadmap to ensure we’re renewing at exactly the right time rather than relying on static intervals. When Let’s Encrypt tells us a certificate needs early renewal (like after a revocation event), we’ll respond immediately.
Certificate lifetimes will keep getting shorter. That won’t matter to you. Certificates in CertKit are always automatically renewed and refreshed. That’s the whole point.
CertKit automates certificate lifecycle management so certificate lifetimes are someone else’s problem.
Comments