What Let’s Encrypt’s New Certificate Validity Rules Mean for Your SSL Setup

Let’s Encrypt Certificate Policy Changes

Let’s Encrypt will modify two key aspects of its ACME issuance process:

Certificate validity period : the maximum lifetime will be reduced from 90 days to 45 days.

Domain‑validation reuse period : the window during which a previously issued authorization can be reused will shrink from 30 days to 7 hours, effectively requiring a fresh domain‑ownership check for every renewal.

Staged rollout

May 2026 – optional trial. Users can enable 45‑day certificates by adding a configuration file (e.g., default_certificate_lifetime = 45d) to their ACME client.

July 2027 – default lifetime changes to 64 days for all accounts that have not opted in to the trial.

August 2028 – the 45‑day lifetime becomes the standard default for every newly issued certificate.

New validation method: DNS‑PERSIST‑01

In 2026 Let’s Encrypt will introduce DNS‑PERSIST‑01 , a DNS‑based challenge that stores the TXT record used for domain validation. After the initial setup, subsequent renewals can reuse the same TXT record without manual updates, reducing operational overhead for DNS‑only validation flows.

Operational impact

Most modern ACME clients (e.g., Certbot, acme.sh, lego) already automate renewal and will handle the shorter lifetimes transparently. However, administrators who rely on custom scripts, fixed‑interval cron jobs, or manual DNS updates should verify the following:

Renewal frequency must be increased to ensure certificates are refreshed before the 45‑day expiry.

Any logic that reuses an authorization longer than 7 hours must be revised to request a fresh challenge for each renewal.

If DNS‑PERSIST‑01 is adopted, update the script to create the initial TXT record once and then skip re‑creation on subsequent renewals.

Security rationale

Shorter certificate lifetimes reduce the exposure window for compromised private keys and align Let’s Encrypt with the CA/Browser Forum’s recommendation for frequent rotation. The tighter validation window further mitigates the risk of stale authorizations being abused.