Upcoming Changes to Let's Encrypt Certificates
4 days ago
- #SSL Certificates
- #Let’s Encrypt
- #Cybersecurity
- Let’s Encrypt is introducing updates including new root certificates, deprecation of TLS client authentication, and shorter certificate lifetimes.
- Two new Root CAs and six new Intermediate CAs (collectively 'Generation Y') are being introduced, cross-signed from existing 'Generation X' roots.
- Default classic profile users will switch to Generation Y hierarchy on May 13, 2026, with no TLS Client Authentication support.
- TLS Client Authentication will end in February 2026, with a tlsclient profile available until May 2026 for users needing more time.
- tlsserver and shortlived profiles will start issuing Generation Y certificates this week, including short-lived certificates with IP Address support.
- Certificate lifetimes will be shortened to 45 days by 2028, with opt-in 45-day certificates available in 2025 for testing.
- Most users require no action, but are encouraged to review detailed blog posts for each change.