Let’s Encrypt is introducing several updates to the certificates we issue, including new root certificates, the deprecation of TLS client authentication, and shortening certificate lifetimes. To help roll out changes gradually, we’re making use of ACME profiles to allow users to have control over when some of these changes take place. For most users, no action is required.
Let’s Encrypt has generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. These are cross-signed from our existing “Generation X” roots, X1 and X2, so will continue to work anywhere our current roots are trusted.
Most users get certificates from our default [classic](htt…
Let’s Encrypt is introducing several updates to the certificates we issue, including new root certificates, the deprecation of TLS client authentication, and shortening certificate lifetimes. To help roll out changes gradually, we’re making use of ACME profiles to allow users to have control over when some of these changes take place. For most users, no action is required.
Let’s Encrypt has generated two new Root Certification Authorities (CAs) and six new Intermediate CAs, which we’re collectively calling the “Generation Y” hierarchy. These are cross-signed from our existing “Generation X” roots, X1 and X2, so will continue to work anywhere our current roots are trusted.
Most users get certificates from our default classic profile, unless they’ve opted into another profile. This profile will switch to the new Generation Y hierarchy on May 13 2026. These new intermediates do not contain the “TLS Client Authentication” Extended Key Usage due to an upcoming root program requirement. We have previously announced our plans to end TLS Client Authentication starting in February 2026, which will coincide with the switch to the Generation Y hierarchy. Users who encounter issues or need an extended period to switch can use our tlsclient profile until May 2026, which will also remain on our existing Generation X roots.
If you’re requesting certificates from our tlsserver or shortlived profiles, you’ll begin to see certificates which come from the Generation Y hierarchy this week. This switch will also mark the opt-in general availability of short-lived certificates from Let’s Encrypt, including support for IP Addresses on certificates.
We also announced our timeline to comply with upcoming changes to the CA/Browser Forum Baseline Requirements, which will require us to shorten the length of time our certificates are valid for. Next year, you’ll be able to opt-in to 45 day certificates for early adopters and testing via the tlsserver profile. In 2027, we’ll lower the default certificate lifetime to 64 days, and then to 45 in 2028. For the full timeline and details, please see our post on decreasing certificate lifetimes to 45 days.
For most users, no action is required, but we recommend reviewing the linked blog posts announcing each of these changes for more details. If you have any questions, please do not hesitate to ask here, on this forum.