December 2, 2025

Your padlock has a bedtime

Article URL →HN comments →

Decreasing Certificate Lifetimes to 45 Days

Web security on a 45‑day timer: some cheer, others reach for the pager

TLDR: Let’s Encrypt will shrink website certificate lifetimes to 45 days by 2028, with tighter domain checks, to boost security. The community is split between automation-loving supporters and nervous operators worried about outages—with jokes about “picosecond certs” and cautious optimism for new tools that may ease the pain.

Let’s Encrypt just put website security on a diet: by 2028, its “padlock” certificates will last 45 days instead of 90, with domain checks expiring in just 7 hours. The internet’s watchdogs (an industry group called the CA/Browser Forum) are pushing everyone this way. Cue chaos in the comments.

The split is sharp. Fans like ZeroConcerns say this is the future—automation all the way, shorter lifespans mean safer sites, and the web is better for it. Skeptics like jakeogh fire back with the spicy question, “Why not an hour?” warning that a single hiccup can nuke a site. Meanwhile, ops folks like kyledrake are already hearing phantom pagers: shorter windows mean less time to notice and fix broken renewals.

There’s real meat behind the drama: staged rollouts start in 2026, with a 64‑day middle phase in 2027 before the 45‑day finish in 2028. Let’s Encrypt says most users with auto‑renewal won’t need changes and points to a renewal helper called ARI, plus a new DNS trick in the works—DNS‑PERSIST‑01, which keeps one static record for proving domain control, hyped by secret‑noun as “very exciting” link.

And the memes? bravetraveler wins: “It’s 2055, certs last picoseconds.” Security vs. sleep: choose your fighter.

Key Points

  • Let’s Encrypt will reduce certificate validity from 90 to 45 days by 2028, aligning with CA/Browser Forum Baseline Requirements.
  • Authorization reuse periods will drop from 30 days to 7 hours by 2028 to enhance security and revocation efficacy.
  • Rollout timeline: May 13, 2026 (tlsserver profile to 45 days), Feb 10, 2027 (classic profile to 64 days, 10-day reuse), Feb 16, 2028 (classic profile to 45 days, 7-hour reuse).
  • Let’s Encrypt recommends using ACME Renewal Information (ARI) and renewing at about two-thirds of a certificate’s lifetime; manual renewals are discouraged.
  • A new DNS challenge type, DNS-PERSIST-01, is expected in 2026 to simplify domain validation by keeping a persistent DNS TXT entry.

Hottest takes

"this is just something you only do via an automated API" — ZeroConcerns
"Why? Why not an hour? A ssl failure is a very effective way to shut down a site" — jakeogh
"The year is 2055, certificate lifetimes are measured in picoseconds" — bravetraveler

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.