In January 2025, Let’s Encrypt announced a major step forward in enhancing web security: the introduction of six-day certificates, also known as “short-lived” certificates. This initiative aligns with Let’s Encrypt’s commitment to strengthening the Public Key Infrastructure (PKI) ecosystem and is set to roll out for general availability by the end of 2025.
Why short-lived certificates matter
The core motivation behind this change is security. Short-lived certificates significantly reduce the window of opportunity for attackers to exploit a compromised or stolen certificate. By automatically expiring in just six days, they also encourage automation in certificate management, further minimizing human errors and vulnerabilities.
The role of ACME in automation
One of the key reasons this shift to six-day certificates is possible is thanks to certificate lifecycle automation mechanisms such as the Automatic Certificate Management Environment (ACME) protocol. ACME automates the traditionally manual process of obtaining and renewing SSL/TLS certificates, making it seamless for websites to stay secure.
Here’s how it works: your server communicates with Let’s Encrypt (or another Certificate Authority that supports ACME) through the ACME protocol to request, verify, and install certificates—all without human intervention. Once set up, ACME handles renewals too, ensuring that certificates never expire unexpectedly.
ACME 2.0 is the latest stable version of the protocol. With its introduction in 2018, ACME became even more robust, adding support for wildcard certificates (which secure multiple subdomains) and improving compatibility with a wide range of tools and platforms. As part of its continued efforts to enhance automation, Let’s Encrypt is also working on innovations to simplify certificate renewal and revocation processes—essential for managing short-lived certificates.
What is ARI, and why does it matter for six-day certificates?
Managing short-lived certificates, like the upcoming six-day model, requires precise timing for renewals. This is where Automatic Renewal Information (ARI) comes into play. ARI acts like a notification system for your server, telling it exactly when a certificate needs to be renewed.
Instead of constantly checking expiration dates, ARI ensures your server always knows the right moment to act. This added layer of automation is essential for managing certificates with such short lifespans and helps ensure uninterrupted security.
The latest draft of ARI (published on December 6, 2024) is under review by the Internet Engineering Task Force (IETF) and is expected to be finalized soon. Despite not yet being an official standard, ARI has already gained traction. Let’s Encrypt has supported ARI in production since March 2023, with many customers already benefiting from it. As the protocol matures into a formal standard, other Certificate Authorities (CAs) are expected to adopt it, driving broader adoption across the industry.
What happens when automation fails?
While automation is a game-changer for certificate management, even the best systems aren’t foolproof. A misconfiguration, a software bug, or a communication failure can disrupt automated processes, leaving your website vulnerable to outages or security lapses.
That’s why an assurance layer is critical. As the recommended certificate expiration service of Let’s Encrypt, Red Sift Certificates Lite provides monitoring for up to 250 certificates with 7-day email expiry alerts. When six-day certificates become generally available, Red Sift Certificates Lite will adapt to support 24-hour expiration alerts, ensuring a safety net for your organization if automation fails.
For businesses with more complex PKI needs, Red Sift Certificates Enterprise provides a robust solution. It features fully configurable alerting settings, real-time certificate discovery, issuance checks, and comprehensive configuration monitoring. This makes it ideal for managing diverse certificate estates that may include both short- and long-lived certificates.
Preparing for the future of web PKI
With the introduction of six-day certificates, automation and assurance will work hand in hand to create a secure, reliable web infrastructure. Organizations can start preparing now by adopting ACME-compatible tools for automated management and leveraging services like Red Sift Certificates Lite to add an extra layer of resilience.
What’s next
As we get closer to the rollout, staying informed about implementation details and best practices will be key for organizations looking to leverage this model effectively. We’ll continue to update this post as new developments emerge.
