Let’s Encrypt’s 45-Day Certificates: A Deadline for DevOps Automation

What’s Actually Changing?

Let’s Encrypt is transitioning to 45-day TLS/SSL certificates by 2028, cutting certificate lifespans in half. This shift, mandated by the CA/Browser Forum, forces DevOps teams to adapt automation or face increased outage risks.

Why This Matters

Shorter certificate lifetimes improve security by reducing the blast radius of compromised keys and minimizing reliance on revocation. However, the technical reality is stark: operations teams must double renewal frequency, which increases failure modes. A 2025 study by DevOps Research & Assessment found that 68% of outages in 2024 were linked to misconfigured certificate renewals, costing businesses an average of $1.2M per incident.

Key Insights

• “45-day certs rollout: 2026 (opt-in), 2027 (64-day with 10-day reuse), 2028 (45-day with 7-hour reuse)” (Let’s Encrypt, 2025)
• “ACME Renewal Information (ARI) for CA-guided renewals” (Let’s Encrypt, 2025)
• “ServBay Store offering 1-year DV certs at $2.99/year for single-domain” (ServBay, 2025)

Practical Applications

• Use Case: DevOps teams using Let’s Encrypt for automated renewals must implement ARI and adjust cron jobs to 30-day intervals.
• Pitfall: Hard-coding renewal intervals beyond 2/3 of the cert lifetime (e.g., 60 days for 45-day certs) leads to inevitable outages.

References:

• https://dev.to/james_miller_8dc58a89cb9e/lets-encrypt-is-going-to-45-day-certs-will-your-ops-survive-2fk4