Six-day certificates: Here’s what you need to know

In January 2025, Let’s Encrypt announced a major step forward in enhancing web security: the introduction of six-day certificates, also known as “short-lived” certificates. This initiative aligns with Let’s Encrypt’s commitment to strengthening the Public Key Infrastructure (PKI) ecosystem and is set to roll out for general availability by the end of 2025.

Why short-lived certificates matter

The core motivation behind this change is security. Short-lived certificates significantly reduce the window of opportunity for attackers to exploit a compromised or stolen certificate. By automatically expiring in just six days, they also encourage automation in certificate management, further minimizing human errors and vulnerabilities.

The role of ACME in automation

One of the key reasons this shift to six-day certificates is possible is thanks to certificate lifecycle automation mechanisms such as the Automatic Certificate Management Environment (ACME) protocol. ACME automates the traditionally manual process of obtaining and renewing SSL/TLS certificates, making it seamless for websites to stay secure.

Here’s how it works: your server communicates with Let’s Encrypt (or another Certificate Authority that supports ACME) through the ACME protocol to request, verify, and install certificates—all without human intervention. Once set up, ACME handles renewals too, ensuring that certificates never expire unexpectedly.

ACME 2.0 is the latest stable version of the protocol. With its introduction in 2018, ACME became even more robust, adding support for wildcard certificates (which secure multiple subdomains) and improving compatibility with a wide range of tools and platforms. As part of its continued efforts to enhance automation, Let’s Encrypt is also working on innovations to simplify certificate renewal and revocation processes—essential for managing short-lived certificates.

What is ARI, and why does it matter for six-day certificates?

Managing short-lived certificates, like the upcoming six-day model, requires precise timing for renewals. This is where Automatic Renewal Information (ARI) comes into play. ARI acts like a notification system for your server, telling it exactly when a certificate needs to be renewed.

Instead of constantly checking expiration dates, ARI ensures your server always knows the right moment to act. This added layer of automation is essential for managing certificates with such short lifespans and helps ensure uninterrupted security.

The latest draft of ARI (published on December 6, 2024) is under review by the Internet Engineering Task Force (IETF) and is expected to be finalized soon. Despite not yet being an official standard, ARI has already gained traction. Let’s Encrypt has supported ARI in production since March 2023, with many customers already benefiting from it. As the protocol matures into a formal standard, other Certificate Authorities (CAs) are expected to adopt it, driving broader adoption across the industry.

What happens when automation fails?

While automation is a game-changer for certificate management, even the best systems aren’t foolproof. A misconfiguration, a software bug, or a communication failure can disrupt automated processes, leaving your website vulnerable to outages or security lapses.

That’s why an assurance layer is critical. As the recommended certificate expiration service of Let’s Encrypt, Red Sift Certificates Lite provides monitoring for up to 250 certificates with 7-day email expiry alerts. When six-day certificates become generally available, Red Sift Certificates Lite will adapt to support 24-hour expiration alerts, ensuring a safety net for your organization if automation fails.

For businesses with more complex PKI needs, Red Sift Certificates Enterprise provides a robust solution. It features fully configurable alerting settings, real-time certificate discovery, issuance checks, and comprehensive configuration monitoring. This makes it ideal for managing diverse certificate estates that may include both short- and long-lived certificates.

Preparing for the future of web PKI

With the introduction of six-day certificates, automation and assurance will work hand in hand to create a secure, reliable web infrastructure. Organizations can start preparing now by adopting ACME-compatible tools for automated management and leveraging services like Red Sift Certificates Lite to add an extra layer of resilience.

What’s next

As we get closer to the rollout, staying informed about implementation details and best practices will be key for organizations looking to leverage this model effectively. We’ll continue to update this post as new developments emerge.

PUBLISHED BY

Francesca Rünger-Field

28 Jan. 2025

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Cybersecurity

Collaborative cybersecurity: The building blocks to a safer internet

Rahul Powar

Ciaran Martin, former CEO of the UK National Cyber Security Centre, and Rahul Powar, CEO of Red Sift The internet’s foundational promise is one of connection, opportunity, and innovation. But as technological innovation grows, so do the risks. The challenge is clear: how do we create a fundamentally safer internet while empowering organisations of…

Read more
Cybersecurity

Securing crypto with Andrei Terentiev

Sean Costigan

In a new episode of Resilience Rising, host Sean Costigan speaks to Andrei Terentiev, Chief Technology Officer (CTO) of Bitcoin.com. The discussion dives into the relationship between cryptocurrency and cybersecurity, with valuable insights into the challenges and strategies for safeguarding digital assets. Navigating the intersection of cryptocurrency and cybersecurity Andrei shares his journey from…

Read more
DMARC

2.3 million organizations embrace DMARC compliance

Jack Lilley

It has been one year since Google and Yahoo implemented stricter requirements for bulk email senders. Eleven months ago, Red Sift shared an update based on data from BIMI Radar, which revealed a concerning global readiness picture. Now, with a full year behind us, it’s time to evaluate the progress organizations have made in…

Read more
BIMI

VMC and CMC updates: 5 key takeaways

Jack Lilley

Verified Mark Certificates (VMCs) and Common Mark Certificates (CMCs) continue to evolve, and staying up to date is crucial for organizations looking to authenticate their logos and enhance brand trust in email communication, this includes adhering to version 1.7 of the Minimum Security Requirements.  In this blog, we break down the 5 key changes…

Read more