将证书有效期缩短至45天

将证书有效期缩短至45天
Decreasing Certificate Lifetimes to 45 Days

原始链接: https://letsencrypt.org/2025/12/02/from-90-to-45.html

## Let’s Encrypt 证书变更总结 Let’s Encrypt 将缩短其 SSL/TLS 证书的有效期，以增强互联网安全，并与 CA/Browser Forum 强制执行的行业范围内的变化保持一致。目前有效期为 90 天，证书将在 **2028 年缩减至 45 天**。授权重用期限（域名验证后颁发证书的时间）也将从 30 天缩短至 **2028 年的 7 小时**。这些更改将分阶段推出，从 **2026 年 5 月**开始提供选择加入的配置，随后在 **2027 年 2 月和 2028 年**更新默认配置。大多数使用自动化证书签发的用户无需立即采取行动，但应**验证与较短有效期的兼容性**并**在 ACME 客户端中启用 ACME 更新信息 (ARI)**，以实现及时续订。硬编码的续订间隔超过 60 天将变得不足。为了简化自动化，Let’s Encrypt 正在开发 **DNS-PERSIST-01**，这是一种新的验证方法，允许减少 DNS 更新频率。请通过 [技术更新邮件列表](链接到邮件列表) 和 [社区论坛](链接到论坛) 了解最新信息。

Let's Encrypt，一家主要的免费SSL证书提供商，正在将证书有效期缩短至45天，以符合CA/Browser Forum强制执行的行业范围内的变化。此举因通过基于API的自动化证书管理提高网络安全（WebPKI）而受到赞扬。虽然有益，但这一变化凸显了持续存在的挑战。一些较旧的，特别是企业级软件，难以频繁续订，通常需要手动重启才能识别新证书。此外，许多IT部门缺乏对内部域的API支持，从而阻碍了自动化。一位评论员质疑45天的必要性，建议可以考虑更短的持续时间，例如一小时，但承认“首次使用信任”（TOFU）的好处，尽管存在潜在的控制问题。最终，这一转变反映了整个行业朝着更短有效期、自动管理的证书的趋势。

原文

Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028.

This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

We are also reducing the authorization reuse period, which is the length of time after validating domain control that we allow certificates to be issued for that domain. It is currently 30 days, which will be reduced to 7 hours by 2028.

Timeline of Changes

To minimize disruption, Let’s Encrypt will roll this change out in multiple stages. We will use ACME Profiles to allow you control over when these changes take effect. They are configured in your ACME client. For more information, see our blog post announcing them.

Changes will be deployed to our staging environment approximately one month before the production dates below.

May 13, 2026: Let’s Encrypt will switch our tlsserver ACME profile to issue 45-day certificates. This profile is opt-in and can be used by early adopters and for testing.
February 10, 2027: Let’s Encrypt will switch our default classic ACME profile to issuing 64-day certificates with a 10-day authorization reuse period. This will affect all users who have not opted into the tlsserver or shortlived (6-day) profiles.
February 16, 2028: We will further update the classic profile to issue 45-day certificates with a 7 hour authorization reuse period.

These dates are when the change takes effect for new certificates, so Let’s Encrypt users will see the reduced certificate validity period at their next renewal after these dates.

Action Required

Most users of Let’s Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we’ve introduced to help clients know when they need to renew their certificates. Consult your ACME client’s documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide.

If your client doesn’t support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate’s lifetime.

Manually renewing certificates is not recommended, as it will need to be done more frequently with shorter certificate lifetimes.

We also recommend that you make sure your systems have sufficient monitoring in place to alert appropriately if certificates aren’t renewed when expected. There are many available options, some of which are documented on our Monitoring Service Options page.

Making Automation Easier with a new DNS Challenge Type

For many of our users, the hardest part of automatically issuing certificates is proving domain control. Reducing certificate lifetimes and the authorization reuse period will make users need to demonstrate control more often.

All validation methods today require that the ACME client have live access to your infrastructure, either to serve the correct HTTP-01 token, perform the right TLS-ALPN-01 handshake, or update the right DNS-01 TXT record. For a long time, people have wanted a way to run an ACME client without granting it access to these sensitive systems.

These challenges are why we are working with our partners at the CA/Browser Forum and IETF to standardize a new validation method called DNS-PERSIST-01. The key advantage of this new method is that the DNS TXT entry used to demonstrate control does not have to change every renewal.

This means you can set up the DNS entry once and begin automatically renewing certificates without needing a way to automatically update DNS. This should allow even more people to automate their certificate renewals. It will also reduce reliance on authorization reuse, since the DNS records can stay unchanged without any further ACME client involvement.

We expect DNS-PERSIST-01 to be available in 2026, and will have more to announce soon.

Keep Up to Date

Additional updates, reminders, and other changes will be shared on our technical updates mailing list. Subscribe to keep up-to-date with these and all other upcoming changes. If you have any questions, please ask on our community forum. If you want to read more about the work happening at Let’s Encrypt and our other projects, check out our Annual Report, which was published today.