Let"s Encrypt, the certificate authority that launched a decade ago to remove the traditional barriers of cost and complexity of obtaining SSL and TLS certificates, has announced some major updates. These updates include a new certificate hierarchy, the deprecation of TLS client authentication, and a plan to shorten certificate lifetimes.
The non-profit said that it has generated a new hierarchy dubbed Generation Y, which consists of two new Root Certificate Authorities (CAs) and six new Intermediate CAs. These new CAs are cross-signed from the existing Generation X roots (X1 and X2), which ensures that they remain trusted wherever the current roots are accepted.
Let"s Encrypt has also reiterated that its TLS Client Authentication is planned to end starting in February 2026 and that the default classic ACME profile will switch to the Generation Y hierarchy, without Client Auth, on May 13, 2026. If you need more time past the deadline, you can use the tlsclient profile until May 2026, as it will remain on the existing Generation X roots.
Another major change is that certificate lifetimes are being shortened. Let"s Encrypt will gradually shorten the certificate validity period to comply with CA/Browser Forum Baselines Requirements. The rollout is gradual for this, next year, there will be an opt-in phase where early adopters and testers can opt-in to 45-day certificates via the tlsserver profile. In 2027, and enabled by default, the certificate lifetime will be lowered to 64 days. Finally, in 2028, the default certificate lifetime will be lowered to 45 days.
By shortening certificate lifetimes, it will enhance internet security by reducing attack windows, allowing the faster rollout of cryptographic updates, and reduced misissuance impact.
Let"s Encrypt said that users of the tlsserver and short-lived profiles will begin seeing certificates from the Generation Y hierarchy this week. It also said that the switch marks the general availability of opt-in short-lived certificates, including support for IP Addresses on certificates.