Why the intermediate jump to 64 day certs, why not go directly to 45 day certs

vgk · December 19, 2025, 7:06pm

Why the intermediate jump to 64 day certs, why not go directly to 45 day certs?

Considering Let’s Encrypt will have no issue staying compliant with SC-081v3 requirements until 15 March 2027 unlike other CAs which need to shorten their cert lifetimes a year earlier.

MikeMcQ · December 19, 2025, 7:22pm

LE expressed concern that there are ACME Clients that renew after 60 days. This interim step allows them more time. Sure, we can argue the "shoulds" but ... By 2028 when LE switch Classic to 45 days this should be little surprise and not cause unintended outages due to expired certs. Hopefully before then people have switched to using an ACME Client that supports ARI

From their blog post: Decreasing Certificate Lifetimes to 45 Days - Let's Encrypt

If your client doesn’t support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate’s lifetime.

aarongable · December 19, 2025, 7:30pm

Yep, that's exactly it. We're aware of a number of clients that renew every 60 days, rather than renewing a certain percentage of the way through the certificate lifetime (or better yet, following ARI). Reducing directly to 45 days would break those clients, which we'd like to avoid. Reducing to 64 days will hopefully generate enough impending expiration warnings, or enough general press, for those site operators to become aware of the change and update their ACME clients.

orangepizza · December 23, 2025, 2:13am

didn't you guys no longer sending expiry mail? not sure anything short of scream test (make it expire) will cause them to notice as it'd been automated away. we'd have statistics about how client's schedule was set (keep ARI/renew before 30 days of expiry / renew after 60 days)

hebbet · December 23, 2025, 6:53am

aarongable · December 23, 2025, 8:03am

Correct, we no longer send expiration warning emails ourselves. However, there are many other expiration notification systems, including local monitoring, which may trigger.

system · January 22, 2026, 8:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How will Let's Encrypt deal with the effects of shorter certificate lifetimes? Issuance Policy	9	507	June 11, 2025
6 day certificates!? Pinch me I'm dreaming Issuance Policy	37	2111	January 30, 2025
Shorter validity period for certificates Issuance Policy	6	4910	February 15, 2017
About day certificates Issuance Tech	15	317	March 29, 2025
SSL certificate validity more time required, more than 90 days Feature Requests	9	16308	July 28, 2021

Why the intermediate jump to 64 day certs, why not go directly to 45 day certs

Related topics