Let's Encrypt 45-Day Certificates: What Enterprise Teams Need to Know

July 1, 2026
7 mins read

Introduction#

Let's Encrypt — which powers over 60% of all web certificates — is moving to 45-day certificate lifetimes. For enterprise teams managing hundreds or thousands of domains, this isn't a minor policy update. It's a fundamental shift in how SSL infrastructure needs to operate. If your team still handles certificate renewals manually, the math is about to get uncomfortable. Here's what's changing, why it's happening, and what you need to do about it.

The Announcement: Let's Encrypt Moving From 90-Day to 45-Day Certificate Lifetimes#

In early 2026, Let's Encrypt confirmed what the industry had been speculating: certificate lifetimes are shrinking from 90 days to 45 days. This follows a broader industry push toward shorter-lived certificates as a security standard, and it's not just Let's Encrypt making the move — it's the entire ecosystem.

The transition will roll out gradually, with a transition period before 45-day lifetimes become the default. But the direction is locked in. For teams that rely on Let's Encrypt certificates (and at 60% market share, that's most of the web), the operational implications are immediate and significant.

Why It's Happening: Security Best Practice#

The reasoning behind shorter certificate lifetimes is straightforward: limiting the window of compromise.

A certificate that expires in 90 days is valid for 90 days. If a private key is compromised on day one, an attacker has up to 90 days to exploit it before the cert naturally expires. At 45 days, that window shrinks by half. At even shorter lifetimes (some in the industry are pushing for 7-day certificates), the attack surface becomes dramatically smaller.

Shorter lifetimes also reduce reliance on certificate revocation. Revocation lists (CRLs) and OCSP have well-documented reliability issues — browsers don't always check them, and they can be slow to propagate. The industry's solution is increasingly "make certificates expire faster" rather than "get better at revoking them."

Google's Parallel CA/Browser Forum Proposal#

This isn't just Let's Encrypt acting alone. Google has proposed similar lifetime reductions through the CA/Browser Forum, the industry body that sets certificate standards. If adopted, these changes would affect all certificate authorities, not just Let's Encrypt.

The message is clear: the entire certificate ecosystem is moving toward shorter lifetimes. Teams that prepare now won't feel the squeeze. Teams that wait will face a structural mismatch between their operational processes and the infrastructure they depend on.

The Timeline: When the Change Happens#

While exact dates are still being finalized, the rollout path is clear:

- Mid-2026: Let's Encrypt begins the transition, with 45-day lifetimes becoming available as an option - Late 2026 / Early 2027: 45-day lifetimes become the default for new certificates - 2027+: Further reductions possible, with 7-day and even 24-hour certificates under active discussion for specific use cases

The transition period gives teams time to adapt, but adaptation takes longer than most organizations expect — especially when it involves rethinking processes that have been in place for years.

What 45 Days Actually Means: 8 Renewal Cycles Per Year#

Here's the operational math.

With 90-day certificates, each domain needs 4 renewals per year. A team managing 100 domains handles 400 certificate operations annually. At 500 domains, that's 2,000 operations. Already significant — and most teams find this challenging to manage manually.

With 45-day certificates, those numbers double. Each domain needs 8 renewals per year. A 100-domain portfolio means 800 operations annually. At 500 domains, it's 4,000 operations. That's more than 10 certificate operations every single day, including weekends and holidays.

And this doesn't account for the reality that many organizations discover expired certificates only when something breaks. A monitoring gap that was manageable at 4 renewals per domain becomes a critical failure point at 8.

Who This Affects Most#

The teams hit hardest will be those managing large domain portfolios with manual or semi-automated SSL processes:

- Marketing operations teams running dozens of campaign domains with redirects - Enterprise infrastructure teams managing brand protection domains, ccTLDs, and acquired brands - Domain investors and portfolio managers with hundreds or thousands of parked or redirected domains - Agencies handling SSL for multiple client domains across different platforms

If your team's SSL renewal process involves a spreadsheet, a calendar reminder, or someone manually running a certbot command, the 45-day era will expose every gap in that process — and the gaps will appear twice as fast.

The Enterprise Readiness Gap#

Here's the uncomfortable reality: most enterprise teams aren't ready.

Industry surveys consistently show that a significant percentage of organizations still manage at least some certificates manually. Common patterns include:

- Calendar-based renewal tracking instead of automated monitoring - Manual CSR generation for each certificate - Separate renewal processes for different domain registrars and DNS providers - No centralized visibility across the full certificate inventory - Discovery of expiring certificates only when services break

These patterns were already risky at 90-day lifetimes. At 45 days, they become unsustainable. The gap between "what we're doing now" and "what 45-day certificates require" is wider than most teams realize.

Conclusion#

The 45-day certificate era isn't coming — it's here. Let's Encrypt, Google, and the wider CA/Browser Forum have made the direction clear: shorter certificate lifetimes are the future of web security. For enterprise teams managing redirect domains, brand protection domains, and campaign infrastructure, the question isn't whether to automate SSL management — it's how quickly you can get there before the math catches up.

Audit your SSL renewal process now. Count your domains. Calculate your renewal cadence at 8 per year. If the numbers don't add up with manual processes, they'll add up even less when the timeline shrinks.

Ready to see what automated SSL management looks like across your entire domain portfolio? RedirHub handles certificate provisioning, renewal, and monitoring automatically — so your team doesn't have to.

Let's Encrypt is reducing certificate lifetimes from 90 days to 45 days. This means every certificate issued by Let's Encrypt will need to be renewed twice as often — 8 times per year instead of 4. The change is part of a broader industry push toward shorter-lived certificates for improved security.

The transition is expected to begin in mid-2026, with 45-day lifetimes becoming the default for new certificates by late 2026 or early 2027. A transition period will allow teams to adapt their renewal processes before the change becomes mandatory.

If you manage multiple domains with Let's Encrypt certificates, you'll need to double your renewal frequency. A portfolio of 100 domains will require 800 renewal operations per year instead of 400. At 500 domains, you'll handle 4,000 operations annually — more than 10 per day. This makes manual renewal processes unsustainable for all but the smallest portfolios.

Shorter certificate lifetimes reduce the window of compromise. If a private key is compromised, the attacker has less time to exploit it before the certificate naturally expires. This also reduces reliance on certificate revocation lists, which have known reliability issues in practice.

Yes. Platforms that support ACME automation can handle certificate provisioning, renewal, and monitoring across thousands of domains without manual intervention. RedirHub, for example, automatically provisions SSL certificates for every hostname and handles renewals before expiry — zero manual operations required.

When a redirect certificate expires, browsers show a security warning interstitial, blocking visitors from reaching the destination. For marketing campaigns, this means lost clicks, broken tracking, and damaged trust. The SEO impact can linger for days or weeks after the certificate is renewed, as search engines re-crawl and re-index affected URLs.

Redirect domains have unique SSL requirements because each domain in a redirect chain needs its own valid certificate. A platform that handles SSL at the redirect level — provisioning and renewing certificates per hostname automatically — eliminates the operational overhead of managing certs across your redirect infrastructure.

Frequently asked questions

Let's Encrypt is reducing certificate lifetimes from 90 days to 45 days. This means every certificate issued by Let's Encrypt will need to be renewed twice as often — 8 times per year instead of 4. The change is part of a broader industry push toward shorter-lived certificates for improved security.

The transition is expected to begin in mid-2026, with 45-day lifetimes becoming the default for new certificates by late 2026 or early 2027. A transition period will allow teams to adapt their renewal processes before the change becomes mandatory.

If you manage multiple domains with Let's Encrypt certificates, you'll need to double your renewal frequency. A portfolio of 100 domains will require 800 renewal operations per year instead of 400. At 500 domains, you'll handle 4,000 operations annually — more than 10 per day. This makes manual renewal processes unsustainable for all but the smallest portfolios.

Shorter certificate lifetimes reduce the window of compromise. If a private key is compromised, the attacker has less time to exploit it before the certificate naturally expires. This also reduces reliance on certificate revocation lists, which have known reliability issues in practice.

Yes. Platforms that support ACME automation can handle certificate provisioning, renewal, and monitoring across thousands of domains without manual intervention. RedirHub, for example, automatically provisions SSL certificates for every hostname and handles renewals before expiry — zero manual operations required.

When a redirect certificate expires, browsers show a security warning interstitial, blocking visitors from reaching the destination. For marketing campaigns, this means lost clicks, broken tracking, and damaged trust. The SEO impact can linger for days or weeks after the certificate is renewed, as search engines re-crawl and re-index affected URLs.

Redirect domains have unique SSL requirements because each domain in a redirect chain needs its own valid certificate. A platform that handles SSL at the redirect level — provisioning and renewing certificates per hostname automatically — eliminates the operational overhead of managing certs across your redirect infrastructure.

Linh Tran - Infrastructure Engineer

Linh handles the backend systems that keep RedirHub fast and reliable. Her work revolves around performance, scalability, and making sure redirects happen instantly, no matter where users are. She likes solving complex problems quietly.