For announcements of upcoming changes, please subscribe to the Technical Updates mailing list or see the API Announcements category on the Let’s Encrypt community forum.
Around the end of 2025, we intend to allow any client which supports ACME Profiles (see below) to request a “shortlived” certificate. These certificates are valid for such a short time that they do not need to have revocation information embedded in them at all.
Around the end of 2025, we intend to allow any client which requests a shortlived certificate (see above) to also request that the certificate contain IP Addresses in its Subject Alternative Names. These addresses will be validated in much the same way as DNS Names are today.
On February 11, 2026, we intend to remove the “TLS Client Authentication” Extended Key Usage (EKU) from our default certificate profile. Prior to that date, we will offer an alternative profile which will still contain that EKU, but note that this will be a temporary stop-gap for clients that need more time to migrate away from needing it: that alternate profile will go away on May 13, 2026.
To comply with CA/Browser Forum Baseline Requirement changes, we are decreasing certificate lifetimes to 45 days. We will first decrease to 64 days on February 10, 2027, and then to 45 days on February 16, 2028. We are also decreasing the authorization reuse period to 10 days, then 7 hours.
On June 4, 2025, we turned off our expiration email notification service, and delete all email addresses associated with ACME accounts from our production database.
Enabled: May 7, 2025.
Our certificates no longer contain an Authority Information Access (AIA) Online Certificate Status Protocol (OCSP) URL. Instead, they contain a Certificate Revocation List (CRL) Distribution Point (CRLDP) URL. Relying parties can retrieve revocation status information via CRLs, and ACME clients can obtain renewal hints via ARI (see below).
Enabled: January 9, 2025.
Clients which support the draft ACME Profiles extension can now request that their certificate conform to one of our supported profiles.
Enabled: March 14, 2024
We now operate Certificate Transparency (CT) logs which conform to the new Static CT API Spec, running the Sunlight software. These logs are now usable to fulfill browser’s CT requirements. The CT Logs Documentation has a list of our current logs.
Enabled: March 23, 2023.
We now provide suggested renewal windows for all issued certificates, which clients can query using the ACME ARI extension.