• Announcement and First Short-Lived Certificate: In 2025, Let's Encrypt announced the intention to introduce six-day short-lived certificates. On February 19, 2025, they issued their first short-lived certificate. It was issued to themselves and immediately revoked to observe its lifecycle. This is the first step towards making them available to all subscribers.
• Next Steps: The next step is to make short-lived certificates available to a small set of subscribers to ensure system scalability before general availability. This is expected to begin in Q2 of 2025. Short-lived certificates are expected to be generally available by the end of the year.
• How to Get Six-Day Certificates: Once available, use an ACME client that supports ACME certificate profiles and select the short-lived certificate profile. The lego client recently added this functionality. In the meantime, ensure your ACME client is reliably renewing certificates automatically. It should run at least once a day for renewing short-lived certificates and taking advantage of ACME Renewal Information (ARI).
• Advantages of Shorter Certificate Lifetimes: Compromised private keys lead to the need for certificate revocation. But certificate revocation doesn't work well, and longer certificate lifetimes increase the potential for using problematic certificates. Short-lived certificates reduce the compromise window and the need for revocation. They also require automation, which is important for security.
• Questions and Acknowledgments: Have questions or comments? Use the community forums. Thanks to the Open Technology Fund for supporting this work.
• Details of the First 6-Day Certificate: The PEM format and openssl x509 -text output provide information about the certificate, including issuer, validity period, subject, public key info, extensions (such as key usage, extended key usage, basic constraints, authority key identifier, authority information access, subject alternative name, and certificate policies), and CT Precertificate SCTs.