{"id":31729,"date":"2026-03-12T16:16:36","date_gmt":"2026-03-12T16:16:36","guid":{"rendered":"https:\/\/www.dotcom-monitor.com\/blog\/?p=31729"},"modified":"2026-04-13T23:30:36","modified_gmt":"2026-04-13T23:30:36","slug":"lets-encrypt-45-day-certificate-expiration","status":"publish","type":"post","link":"https:\/\/www.dotcom-monitor.com\/blog\/lets-encrypt-45-day-certificate-expiration\/","title":{"rendered":"Let\u2019s Encrypt 45-Day Certificate Expiration: Monitoring & More"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

TLS certificate lifetimes are shrinking fast \u2014 and that changes how every organization handles renewals, validation, and outage prevention. Let’s Encrypt has confirmed it will move from 90-day certificates to 45-day certificates (with staged rollouts) and dramatically shorten authorization reuse windows. At the same time, the CA\/Browser Forum’s Ballot SC-081v3<\/a> has adopted a broader industry schedule that ultimately caps public TLS certificates at 47 days by March 15, 2029.<\/p>

For teams managing dozens \u2014 or thousands \u2014 of certificates, the real story isn’t “shorter certs.” It’s higher renewal velocity, tighter validation reuse, and a much smaller margin for operational error.<\/strong> Website monitoring and alerting become non-negotiable.<\/p>

What Is Changing in SSL\/TLS Certificate Lifetimes?<\/h2>

The 45-Day Policy (Let’s Encrypt)<\/h3>

Let’s Encrypt currently issues certificates valid for 90 days, and will cut that to 45 days by 2028. This is not a sudden “flip of a switch.” Let’s Encrypt is rolling it out in stages using ACME Profiles:<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t
\n\t\t\t\n\t\t\t\t
Date<\/div><\/div><\/div><\/th>
Change<\/div><\/div><\/div><\/th>
Authorization Reuse<\/div><\/div><\/div><\/th>
Profile Affected<\/div><\/div><\/div><\/th><\/tr><\/thead>\n\t\t\t\t\t\t\t\t
May 13, 2026<\/span> Phase 1<\/span><\/div><\/div><\/div><\/td>
Opt-in tlsserver<\/code> profile issues 45-day certificates<\/div><\/div><\/div><\/td>
30 days (unchanged)<\/div><\/div><\/div><\/td>
Early adopters \/ testing<\/div><\/div><\/div><\/td><\/tr>
Feb 10, 2027<\/span> Phase 2<\/span><\/div><\/div><\/div><\/td>
Default classic<\/code> profile shifts to 64-day certificates<\/div><\/div><\/div><\/td>
Reduced to 10 days<\/strong><\/div><\/div><\/div><\/td>
All users not on tlsserver<\/code> or shortlived<\/code><\/div><\/div><\/div><\/td><\/tr>
Feb 16, 2028<\/span> Phase 3<\/span><\/div><\/div><\/div><\/td>
Default classic<\/code> profile moves to 45-day certificates<\/div><\/div><\/div><\/td>
Reduced to 7 hours<\/strong><\/div><\/div><\/div><\/td>
All users on default profile<\/div><\/div><\/div><\/td><\/tr><\/tbody>\n\t\t\t<\/table>\n\t\t<\/div>\n\n\t\t<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Key Takeaway<\/strong><\/p>

The authorization reuse period matters as much as the certificate lifetime itself. It is the time window during which prior domain-control validation can be reused to issue additional certificates. Let’s Encrypt will reduce that from 30 days to just 7 hours by 2028 \u2014 making reliable ACME automation mandatory, not optional.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The Industry Baseline: 47 Days (CA\/Browser Forum)<\/h3>

The CA\/Browser Forum’s Ballot SC-081v3 introduced a phased schedule that reduces maximum public TLS certificate validity to 200 days (2026),<\/strong> 100 days (2027),<\/strong> and 47 days (2029).<\/strong><\/p>

Let’s Encrypt’s “45 days” is fully compatible with the industry’s “47 days” maximum \u2014 Let’s Encrypt is simply planning to reach that end state one year earlier than the CA\/B Forum mandate requires.<\/p>

Why Are Certificate Lifetimes Being Reduced?<\/h2>

Shorter lifetimes are a security and resilience play, driven by four interconnected goals:<\/p>