Six-day certificates: Here’s what you need to know

In January 2025, Let’s Encrypt announced a major step forward in enhancing web security: the introduction of six-day certificates, also known as “short-lived” certificates. This initiative aligns with Let’s Encrypt’s commitment to strengthening the Public Key Infrastructure (PKI) ecosystem and is set to roll out for general availability by the end of 2025.

Why short-lived certificates matter

The core motivation behind this change is security. Short-lived certificates significantly reduce the window of opportunity for attackers to exploit a compromised or stolen certificate. By automatically expiring in just six days, they also encourage automation in certificate management, further minimizing human errors and vulnerabilities.

The role of ACME in automation

One of the key reasons this shift to six-day certificates is possible is thanks to certificate lifecycle automation mechanisms such as the Automatic Certificate Management Environment (ACME) protocol. ACME automates the traditionally manual process of obtaining and renewing SSL/TLS certificates, making it seamless for websites to stay secure.

Here’s how it works: your server communicates with Let’s Encrypt (or another Certificate Authority that supports ACME) through the ACME protocol to request, verify, and install certificates—all without human intervention. Once set up, ACME handles renewals too, ensuring that certificates never expire unexpectedly.

ACME 2.0 is the latest stable version of the protocol. With its introduction in 2018, ACME became even more robust, adding support for wildcard certificates (which secure multiple subdomains) and improving compatibility with a wide range of tools and platforms. As part of its continued efforts to enhance automation, Let’s Encrypt is also working on innovations to simplify certificate renewal and revocation processes—essential for managing short-lived certificates.

What is ARI, and why does it matter for six-day certificates?

Managing short-lived certificates, like the upcoming six-day model, requires precise timing for renewals. This is where Automatic Renewal Information (ARI) comes into play. ARI acts like a notification system for your server, telling it exactly when a certificate needs to be renewed.

Instead of constantly checking expiration dates, ARI ensures your server always knows the right moment to act. This added layer of automation is essential for managing certificates with such short lifespans and helps ensure uninterrupted security.

The latest draft of ARI (published on December 6, 2024) is under review by the Internet Engineering Task Force (IETF) and is expected to be finalized soon. Despite not yet being an official standard, ARI has already gained traction. Let’s Encrypt has supported ARI in production since March 2023, with many customers already benefiting from it. As the protocol matures into a formal standard, other Certificate Authorities (CAs) are expected to adopt it, driving broader adoption across the industry.

What happens when automation fails?

While automation is a game-changer for certificate management, even the best systems aren’t foolproof. A misconfiguration, a software bug, or a communication failure can disrupt automated processes, leaving your website vulnerable to outages or security lapses.

That’s why an assurance layer is critical. As the recommended certificate expiration service of Let’s Encrypt, Red Sift Certificates Lite provides monitoring for up to 250 certificates with 7-day email expiry alerts. When six-day certificates become generally available, Red Sift Certificates Lite will adapt to support 24-hour expiration alerts, ensuring a safety net for your organization if automation fails.

For businesses with more complex PKI needs, Red Sift Certificates Enterprise provides a robust solution. It features fully configurable alerting settings, real-time certificate discovery, issuance checks, and comprehensive configuration monitoring. This makes it ideal for managing diverse certificate estates that may include both short- and long-lived certificates.

Preparing for the future of web PKI

With the introduction of six-day certificates, automation and assurance will work hand in hand to create a secure, reliable web infrastructure. Organizations can start preparing now by adopting ACME-compatible tools for automated management and leveraging services like Red Sift Certificates Lite to add an extra layer of resilience.

What’s next

As we get closer to the rollout, staying informed about implementation details and best practices will be key for organizations looking to leverage this model effectively. We’ll continue to update this post as new developments emerge.

PUBLISHED BY

Francesca Rünger-Field

28 Jan. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Microsoft announces new email requirements for bulk senders

Red Sift

Microsoft has officially announced new authentication requirements for bulk email senders—referred to as ‘high volume senders’ in their documentation—aligning with the policies rolled out in 2024 by Google and Yahoo. These changes aim to improve email security and deliverability for Outlook.com users, covering domains like outlook.com, hotmail.com, and live.com. The update marks a significant…

Read more
DMARC

From concept to market leader: Reflecting on the development of Red Sift…

Rahul Powar

Following Red Sift OnDMARC being featured in 18 reports in G2’s Spring 2025 Report, CEO Rahul Powar shares his thoughts on the innovation behind the product—and what’s driving its continued momentum in the fight against phishing and Business Email Compromise (BEC). When I founded Red Sift, my goal was to make proactive cybersecurity accessible…

Read more
DMARC

Keep your Microsoft Online Email Routing Address secure with Red Sift OnDMARC

Faisal Misle

Every Microsoft 365 tenant includes a default domain in the format tenantname.onmicrosoft.com. This is known as the Microsoft Online Email Routing Address (MOERA). What many don’t realize is that attackers have started using these domains to impersonate organizations in phishing attacks. If left unmonitored, MOERA domains can become a blind spot in your email…

Read more
News

Red Sift OnDMARC ranked #1 in EMEA and Europe for DMARC in…

Francesca Rünger-Field

G2’s Spring 2025 Report is here, and we’ve got some exciting news to share! Red Sift OnDMARC has been named the #1-rated DMARC solution in both EMEA and Europe, and that’s just the start. We also took the #1 spot in the Mid-Market Results Index and Mid-Market Usability Index, and were featured in 18…

Read more