Let’s Encrypt to offer 6-day certificates from next year

Let's Encrypt has announced that it will begin offering certificates with a lifespan of just six days beginning next year.

This decision aligns with a trend towards shorter certificate lifespans in the technology industry. Tech giants Google and Apple have proposed reducing the duration of public TLS certificates. Google plans to shorten these lifespans to 90 days, while Apple has suggested a 47-day limit by 2028. According to Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk company, this trend aims to bolster security by reducing the risk of compromised certificates.

Bocek stated, "Let's Encrypt, announcing that it will be offering 6-day certificates starting next year, which is a clear signal of where the market is moving." He noted that the likelihood of a certificate being compromised grows with longer lifespans and that over half (57%) of organisations have faced incidents involving compromised TLS certificates in the past year. Bocek asserts that shorter lifespans will help businesses mitigate this risk.

Let's Encrypt has become increasingly popular among developers, especially as a quick, cost-free resource for issuing TLS machine identities for vital web services. Bocek highlights that Let's Encrypt's decision is not just a move in its own right but also a challenge for other Certificate Authorities (CAs) to consider shorter certificates.

However, shorter certificate durations necessitate new processes and tools for businesses. Bocek emphasised, "Automation is essential if you want to rotate certificates every six days." There is evidence of concern within the industry regarding managing these changes. Recent research indicates that 81% of security leaders believe Google's proposed 90-day certificate limit will exacerbate existing management challenges, with 73% fearing potential chaos and 75% considering it might decrease security levels. Furthermore, 77% predict that such changes could lead to more outages.

This apprehension partly arises because many companies lack the tools and resources to handle this transition at scale. Bocek pointed out that only 8% of organisations have fully automated TLS certificate management throughout their enterprise, while around 29% continue using in-house software and spreadsheets.

Bocek elaborated on the time-consuming nature of current practices, where it takes organisations 2-3 working days to manually deploy a certificate. While acknowledging that reducing certificate lifespans can mitigate certain risks, he noted that it also adds complexity for security teams, with challenges apparent across various platforms, including cloud infrastructure, virtual machines, and Kubernetes clusters.

Bocek explained, "We're not just dealing with minor red flags here – we're seeing problems everywhere, from the cloud to virtual machines and Kubernetes clusters. It's not just one vendor's issue; it's the entire internet at stake." Despite these concerns, he remains optimistic about solutions. "The good news is this is a solvable problem. Security teams can get certificate lifecycle management (CLM), PKI-as-a-service and workload identity issuers all on one control plane now."