Six-day certificates: Here’s what you need to know

In January 2025, Let’s Encrypt announced a major step forward in enhancing web security: the introduction of six-day certificates, also known as “short-lived” certificates. This initiative aligns with Let’s Encrypt’s commitment to strengthening the Public Key Infrastructure (PKI) ecosystem and is set to roll out for general availability by the end of 2025.

Why short-lived certificates matter

The core motivation behind this change is security. Short-lived certificates significantly reduce the window of opportunity for attackers to exploit a compromised or stolen certificate. By automatically expiring in just six days, they also encourage automation in certificate management, further minimizing human errors and vulnerabilities.

The role of ACME in automation

One of the key reasons this shift to six-day certificates is possible is thanks to certificate lifecycle automation mechanisms such as the Automatic Certificate Management Environment (ACME) protocol. ACME automates the traditionally manual process of obtaining and renewing SSL/TLS certificates, making it seamless for websites to stay secure.

Here’s how it works: your server communicates with Let’s Encrypt (or another Certificate Authority that supports ACME) through the ACME protocol to request, verify, and install certificates—all without human intervention. Once set up, ACME handles renewals too, ensuring that certificates never expire unexpectedly.

ACME 2.0 is the latest stable version of the protocol. With its introduction in 2018, ACME became even more robust, adding support for wildcard certificates (which secure multiple subdomains) and improving compatibility with a wide range of tools and platforms. As part of its continued efforts to enhance automation, Let’s Encrypt is also working on innovations to simplify certificate renewal and revocation processes—essential for managing short-lived certificates.

What is ARI, and why does it matter for six-day certificates?

Managing short-lived certificates, like the upcoming six-day model, requires precise timing for renewals. This is where Automatic Renewal Information (ARI) comes into play. ARI acts like a notification system for your server, telling it exactly when a certificate needs to be renewed.

Instead of constantly checking expiration dates, ARI ensures your server always knows the right moment to act. This added layer of automation is essential for managing certificates with such short lifespans and helps ensure uninterrupted security.

The latest draft of ARI (published on December 6, 2024) is under review by the Internet Engineering Task Force (IETF) and is expected to be finalized soon. Despite not yet being an official standard, ARI has already gained traction. Let’s Encrypt has supported ARI in production since March 2023, with many customers already benefiting from it. As the protocol matures into a formal standard, other Certificate Authorities (CAs) are expected to adopt it, driving broader adoption across the industry.

What happens when automation fails?

While automation is a game-changer for certificate management, even the best systems aren’t foolproof. A misconfiguration, a software bug, or a communication failure can disrupt automated processes, leaving your website vulnerable to outages or security lapses.

That’s why an assurance layer is critical. As the recommended certificate expiration service of Let’s Encrypt, Red Sift Certificates Lite provides monitoring for up to 250 certificates with 7-day email expiry alerts. When six-day certificates become generally available, Red Sift Certificates Lite will adapt to support 24-hour expiration alerts, ensuring a safety net for your organization if automation fails.

For businesses with more complex PKI needs, Red Sift Certificates Enterprise provides a robust solution. It features fully configurable alerting settings, real-time certificate discovery, issuance checks, and comprehensive configuration monitoring. This makes it ideal for managing diverse certificate estates that may include both short- and long-lived certificates.

Preparing for the future of web PKI

With the introduction of six-day certificates, automation and assurance will work hand in hand to create a secure, reliable web infrastructure. Organizations can start preparing now by adopting ACME-compatible tools for automated management and leveraging services like Red Sift Certificates Lite to add an extra layer of resilience.

What’s next

As we get closer to the rollout, staying informed about implementation details and best practices will be key for organizations looking to leverage this model effectively. We’ll continue to update this post as new developments emerge.

PUBLISHED BY

Francesca Rünger-Field

28 Jan. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

DMARCbis: What are the changes and how to be ready

Jack Lilley

Executive Summary: DMARCbis, also known as DMARC 2.0, is the forthcoming update to the DMARC email authentication protocol, designed to address limitations and ambiguities in the original standard, with an expectation to be finalized and published in 2025. The update introduces clearer guidelines, a new method for determining organizational domains, and streamlined record management.…

Read more
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more