{"id":31729,"date":"2026-03-12T16:16:36","date_gmt":"2026-03-12T16:16:36","guid":{"rendered":"https:\/\/www.dotcom-monitor.com\/blog\/?p=31729"},"modified":"2026-04-13T23:30:36","modified_gmt":"2026-04-13T23:30:36","slug":"lets-encrypt-45-day-certificate-expiration","status":"publish","type":"post","link":"https:\/\/www.dotcom-monitor.com\/blog\/lets-encrypt-45-day-certificate-expiration\/","title":{"rendered":"Let\u2019s Encrypt 45-Day Certificate Expiration: Monitoring & More"},"content":{"rendered":"\t\t
TLS certificate lifetimes are shrinking fast \u2014 and that changes how every organization handles renewals, validation, and outage prevention. Let’s Encrypt has confirmed it will move from 90-day certificates to 45-day certificates (with staged rollouts) and dramatically shorten authorization reuse windows. At the same time, the CA\/Browser Forum’s Ballot SC-081v3<\/a> has adopted a broader industry schedule that ultimately caps public TLS certificates at 47 days by March 15, 2029.<\/p> For teams managing dozens \u2014 or thousands \u2014 of certificates, the real story isn’t “shorter certs.” It’s higher renewal velocity, tighter validation reuse, and a much smaller margin for operational error.<\/strong> Website monitoring and alerting become non-negotiable.<\/p> Let’s Encrypt currently issues certificates valid for 90 days, and will cut that to 45 days by 2028. This is not a sudden “flip of a switch.” Let’s Encrypt is rolling it out in stages using ACME Profiles:<\/strong><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t Key Takeaway<\/strong><\/p> The authorization reuse period matters as much as the certificate lifetime itself. It is the time window during which prior domain-control validation can be reused to issue additional certificates. Let’s Encrypt will reduce that from 30 days to just 7 hours by 2028 \u2014 making reliable ACME automation mandatory, not optional.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t The CA\/Browser Forum’s Ballot SC-081v3 introduced a phased schedule that reduces maximum public TLS certificate validity to 200 days (2026),<\/strong> 100 days (2027),<\/strong> and 47 days (2029).<\/strong><\/p> Let’s Encrypt’s “45 days” is fully compatible with the industry’s “47 days” maximum \u2014 Let’s Encrypt is simply planning to reach that end state one year earlier than the CA\/B Forum mandate requires.<\/p> Shorter lifetimes are a security and resilience play, driven by four interconnected goals:<\/p> Here is the practical storyline behind the progression from 825 days to 45 days:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\tWhat Is Changing in SSL\/TLS Certificate Lifetimes?<\/h2>
The 45-Day Policy (Let’s Encrypt)<\/h3>
\n\t\t\t\t
tlsserver<\/code> profile issues 45-day certificates<\/div><\/div><\/div><\/td>classic<\/code> profile shifts to 64-day certificates<\/div><\/div><\/div><\/td>tlsserver<\/code> or shortlived<\/code><\/div><\/div><\/div><\/td><\/tr>classic<\/code> profile moves to 45-day certificates<\/div><\/div><\/div><\/td>The Industry Baseline: 47 Days (CA\/Browser Forum)<\/h3>
Why Are Certificate Lifetimes Being Reduced?<\/h2>
Timeline of Certificate Lifetime Reductions<\/h2>