The State of SSL Certificate Automation in 2026
The SSL certificate market has shifted dramatically in the past year. Let’s Encrypt, which secures over 400 million websites globally, has rolled out a series of changes that affect every site operator relying on automated certificate management. From 6-day certificates to new DNS validation methods, 2026 is shaping up as a watershed year for TLS automation.
Here’s what’s changed, what’s coming next, and which alternatives are worth considering if your infrastructure demands something different from the free CA standard.
Let’s Encrypt’s Major 2025-2026 Changes
Certificate Lifetimes Are Dropping to 45 Days
In December 2025, Let’s Encrypt formally announced that default certificate lifetimes will decrease from 90 days to 45 days, following CA/Browser Forum Baseline Requirements that all publicly trusted Certificate Authorities must comply with. The rollout happens in three stages:
- May 13, 2026: The “tlsserver” ACME profile switches to 45-day certificates (opt-in for early adopters)
- February 10, 2027: The default “classic” profile drops to 64-day certificates with a 10-day authorization reuse period
- February 16, 2028: All classic profile certificates move to 45 days with a 7-hour authorization reuse window
The authorization reuse period is equally important here. Currently set at 30 days, it will shrink to just 7 hours by 2028. That means your ACME client will need to re-validate domain control far more frequently. If your renewal automation has any manual steps or fragile dependencies, now is the time to fix them.
6-Day Short-Lived Certificates Go Live
In January 2026, Let’s Encrypt made 6-day certificates (technically 160 hours) generally available. These ultra-short certificates are opt-in through the “shortlived” ACME profile and represent a fundamentally different approach to certificate security.
The logic is straightforward: if a private key is compromised, revocation has always been unreliable. Browsers don’t consistently check certificate revocation lists or OCSP responses. With a 6-day certificate, the exposure window from a key compromise shrinks from up to 90 days to less than a week, regardless of whether revocation works.
As of March 2026, Certbot officially supports requesting short-lived certificates. Server operators with fully automated renewal pipelines can switch by selecting the shortlived profile in their ACME client configuration.
IP Address Certificates
Let’s Encrypt issued its first IP address certificate in July 2025, and the feature became generally available alongside 6-day certificates in January 2026. This allows TLS authentication for connections made directly to IPv4 or IPv6 addresses rather than domain names.
IP address certificates must use the shortlived profile (6-day validity). The reasoning: IP addresses are more transient than domain names, particularly in cloud environments where elastic IPs get reassigned. More frequent validation ensures the certificate holder still controls that address.
Use cases include internal services, API endpoints accessed by IP, and IoT devices that communicate over IP without DNS infrastructure.
DNS-PERSIST-01: A New Challenge Type
Announced in February 2026, DNS-PERSIST-01 is a new ACME challenge method based on an IETF draft specification. It addresses a long-standing pain point with DNS-01 validation: the need to update DNS records for every single certificate issuance and renewal.
With traditional DNS-01, your automation needs DNS API credentials distributed throughout your pipeline. Each renewal requires publishing a new TXT record, waiting for propagation, and completing validation. For organizations managing thousands of certificates, this means constant DNS churn.
DNS-PERSIST-01 works differently. You publish a single, standing TXT record at _validation-persist.yourdomain.com that identifies both the CA (Let’s Encrypt) and your specific ACME account. Once that record exists, it authorizes all future issuance and renewals without further DNS changes.
The tradeoff: DNS-PERSIST-01 doesn’t provide fresh proof of control at each renewal the way DNS-01 does. But for IoT deployments, multi-tenant platforms, and batch certificate operations where DNS-01 creates operational headaches, it’s a significant improvement.
ACME Renewal Information (ARI) Now an RFC Standard
Published as RFC 9773 in September 2025, ACME Renewal Information gives CAs a way to tell clients exactly when they should renew. Instead of relying on static thresholds (“renew 30 days before expiry”), ARI provides a suggested renewal window via an API endpoint.
Shopify, which manages certificates for millions of merchant domains, adopted ARI to replace their static renewal logic. Their previous system used a 30-day-before-expiry threshold with random 0-72 hour jitter. ARI solved three problems: it enables rapid response to revocations, adapts automatically to lifetime changes, and distributes renewal load more evenly across the CA’s infrastructure.
With certificate lifetimes shrinking, ARI becomes essential rather than optional. If your ACME client supports it, enable it now.
OCSP Service Shut Down
Let’s Encrypt turned off its Online Certificate Status Protocol (OCSP) service in August 2025. This was a long-anticipated move. OCSP has been criticized for years due to privacy concerns (CAs can track which sites users visit) and reliability issues (soft-fail behavior means browsers ignore OCSP errors anyway).
The replacement: Certificate Revocation Lists (CRLs) and shorter certificate lifetimes. With 6-day certificates available, the argument for real-time revocation checking weakens considerably.
Native ACME in Web Servers: The New Normal
One of the biggest shifts in certificate automation happened in August 2025 when NGINX announced native ACME protocol support via its official ngx_http_acme module, implemented in memory-safe Rust.
NGINX joins Caddy, Traefik, and Apache httpd in supporting ACME directly, without requiring external clients like Certbot or acme.sh. For operators running NGINX (which powers a significant share of the web), this means certificate management can happen entirely within the web server process. No cron jobs, no separate renewal daemons, no coordination between processes.
The practical impact: a significant majority of web servers can now handle certificate issuance natively. For new deployments, running Certbot alongside your web server is no longer strictly necessary.
Let’s Encrypt Alternatives Worth Considering
Let’s Encrypt remains the dominant free CA, but it’s not the only option. Several alternatives have matured and offer different strengths depending on your infrastructure requirements.
ZeroSSL
Operated by apilayer (Stack Holdings), ZeroSSL offers free 90-day DV certificates via ACME, similar to Let’s Encrypt. Where it differs: ZeroSSL also provides a REST API alongside ACME, paid options for 1-year certificates, and a web-based dashboard for manual management. If your team needs a mix of automated and manually-managed certificates, ZeroSSL’s hybrid approach has value.
ZeroSSL uses Sectigo as its root CA, providing a different trust chain from Let’s Encrypt. This matters for environments where you need certificate diversity (some large organizations use multiple CAs to avoid single points of failure).
Google Trust Services
Google operates its own publicly trusted CA and offers free DV certificates through ACME. The certificates chain to Google’s GTS Root R1-R4 hierarchy. For organizations already deep in the Google Cloud ecosystem, using Google Trust Services can simplify certificate management since it integrates directly with Google Cloud Certificate Manager.
Google Trust Services currently issues 90-day certificates and supports standard ACME challenges. It’s a solid choice for GCP-native workloads, though it lacks some of the newer features Let’s Encrypt has pioneered (like 6-day certificates and ARI).
Buypass Go SSL
Buypass, a Norwegian CA, offers free 180-day DV certificates via ACME. The longer validity period (double Let’s Encrypt’s current 90 days) appeals to operators who want less frequent renewals. Buypass supports both HTTP-01 and DNS-01 challenges and works with standard ACME clients including Certbot.
The 180-day lifetime will need to decrease as CA/Browser Forum requirements tighten, but for now it provides a longer buffer for environments where renewal automation is less mature.
SSL.com
SSL.com provides free 90-day DV certificates through ACME and also sells OV and EV certificates for organizations that need them. Their ACME implementation is compatible with standard clients. The main draw is having a single provider for both automated DV certificates and higher-assurance certificates that require manual validation.
Comparison: Free ACME Certificate Authorities
| CA | Max Validity | Short-Lived Option | IP Certs | Wildcard | ACME Support | Root CA |
|---|---|---|---|---|---|---|
| Let’s Encrypt | 90 days (moving to 45) | Yes (6-day) | Yes | Yes | Full | ISRG Root X1/X2 |
| ZeroSSL | 90 days (free) / 1 year (paid) | No | No | Yes (paid) | Full + REST API | Sectigo |
| Google Trust Services | 90 days | No | No | Yes | Full | GTS Root R1-R4 |
| Buypass Go | 180 days | No | No | No | Full | Buypass Class 2 |
| SSL.com | 90 days (free DV) | No | No | Yes (paid) | Full | SSL.com Root |
What This Means for Hosting Providers and Site Operators
The direction is clear: certificate lifetimes are getting shorter, and automation is no longer optional. Here’s what to do now:
Audit your renewal pipeline. If any part of your certificate renewal process requires human intervention, fix it before the 45-day default arrives. Test with the “tlsserver” profile (available May 13, 2026) to see how your infrastructure handles shorter lifetimes.
Enable ARI if your client supports it. Certbot, acme.sh, and the Ruby acme-client gem all support ARI. It’s the best way to ensure your renewals happen at the right time, especially as lifetimes shrink.
Consider native ACME in your web server. If you’re running NGINX, Caddy, Traefik, or Apache, evaluate whether native ACME support can replace your external client. Fewer moving parts means fewer failure modes.
Evaluate multi-CA strategies. Running certificates from two different CAs (e.g., Let’s Encrypt primary, ZeroSSL fallback) protects against CA outages. Some ACME clients like Caddy already support this pattern.
Look at DNS-PERSIST-01 for large deployments. If you manage certificates for hundreds or thousands of domains and DNS-01 validation is creating operational overhead, the new persistent challenge type could simplify your pipeline significantly once client support matures.
The Bottom Line
Let’s Encrypt continues to push the industry toward shorter-lived, more frequently validated certificates. The 6-day certificate option, combined with native ACME support in major web servers and new validation methods like DNS-PERSIST-01, makes fully automated certificate management more accessible than ever.
The alternatives (ZeroSSL, Google Trust Services, Buypass) serve specific niches but haven’t matched Let’s Encrypt’s pace of innovation. For most hosting environments, Let’s Encrypt remains the default choice. The key action item: make sure your automation is ready for 45-day certificates before the default changes hit in 2027.
Certificate management is becoming invisible infrastructure, handled entirely by software. That’s exactly where it should be.