Let’s Encrypt 将证书有效期缩短至45天

Let’s Encrypt 是一家免费、开放、自动化的公益性证书颁发机构（CA），由互联网安全研究组（ISRG）运作，旨在简化网站开启 HTTPS 加密的流程，从而推动互联网整体安全性。

2025年12月2日Let’s Encrypt 宣布了两项重大调整：

1. ‌缩短 TLS 证书有效期‌：为提升互联网安全性，缩短潜在安全事件的影响范围，其公信 TLS 证书的有效期将逐步从当前的 90 天减半至 45 天。这一调整将分阶段实施：
   • ‌2026 年 5 月 13 日起‌：用户可通过特定配置提前选择签发 45 天有效期的证书。
   • ‌2027 年 2 月 10 日‌：默认配置将调整为 64 天有效期，并缩短域名授权验证的复用期。
   • ‌2028 年 2 月 16 日‌：全面改为 45 天有效期，并将域名授权重用期缩短至 7 小时
2. 推出新的 DNS 验证方式‌：为简化自动化证书签发流程，Let’s Encrypt 将推出 ‌DNS-PERSIST-01‌ 持久验证方式。与需要每次续期都修改 DNS 的传统方式不同，DNS-PERSIST-01 允许用户一次性在 DNS 设置 TXT 记录后长期复用，无需在续期时重复修改，这将显著降低自动化管理的复杂性。‌

此外，Let’s Encrypt 已宣布计划终止其 OCSP（在线证书状态协议）服务。‌

对于大多数用户而言，这些变化意味着需要确保自动化续期流程能够适应更短的证书生命周期。建议启用 ACME Renewal Information (ARI) 机制，或调整续期策略（例如在证书生命周期约三分之二处触发更新），以避免服务中断。‌

官方原文：https://isrg.org/post/from-90-to-45/

COPY:

Decreasing Certificate Lifetimes to 45 Days
Matthew McPherrin
Dec 2, 2025

Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028.

This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

We are also reducing the authorization reuse period, which is the length of time after validating domain control that we allow certificates to be issued for that domain. It is currently 30 days, which will be reduced to 7 hours by 2028.

Timeline of Changes
To minimize disruption, Let’s Encrypt will roll this change out in multiple stages. We will use ACME Profiles to allow you control over when these changes take effect. They are configured in your ACME client. For more information, see our blog post announcing them.

Changes will be deployed to our staging environment approximately one month before the production dates below.

May 13, 2026: Let’s Encrypt will switch our tlsserver ACME profile to issue 45-day certificates. This profile is opt-in and can be used by early adopters and for testing.
February 10, 2027: Let’s Encrypt will switch our default classic ACME profile to issuing 64-day certificates with a 10-day authorization reuse period. This will affect all users who have not opted into the tlsserver or shortlived (6-day) profiles.
February 16, 2028: We will further update the classic profile to issue 45-day certificates with a 7 hour authorization reuse period.
These dates are when the change takes effect for new certificates, so Let’s Encrypt users will see the reduced certificate validity period at their next renewal after these dates.

Action Required
Most users of Let’s Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we’ve introduced to help clients know when they need to renew their certificates. Consult your ACME client’s documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide.

If your client doesn’t support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate’s lifetime.

Manually renewing certificates is not recommended, as it will need to be done more frequently with shorter certificate lifetimes.

We also recommend that you make sure your systems have sufficient monitoring in place to alert appropriately if certificates aren’t renewed when expected. There are many available options, some of which are documented on our Monitoring Service Options page.

Making Automation Easier with a new DNS Challenge Type
For many of our users, the hardest part of automatically issuing certificates is proving domain control. Reducing certificate lifetimes and the authorization reuse period will make users need to demonstrate control more often.

All validation methods today require that the ACME client have live access to your infrastructure, either to serve the correct HTTP-01 token, perform the right TLS-ALPN-01 handshake, or update the right DNS-01 TXT record. For a long time, people have wanted a way to run an ACME client without granting it access to these sensitive systems.

These challenges are why we are working with our partners at the CA/Browser Forum and IETF to standardize a new validation method called DNS-PERSIST-01. The key advantage of this new method is that the DNS TXT entry used to demonstrate control does not have to change every renewal.

This means you can set up the DNS entry once and begin automatically renewing certificates without needing a way to automatically update DNS. This should allow even more people to automate their certificate renewals. It will also reduce reliance on authorization reuse, since the DNS records can stay unchanged without any further ACME client involvement.

We expect DNS-PERSIST-01 to be available in 2026, and will have more to announce soon.