New Generation Y certificate hierarchy from Let’s Encrypt
54s
2
14:04, 16.12.2025
Let’s Encrypt has announced important updates regarding a new certificate hierarchy, the discontinuation of TLS client authentication, and plans to reduce certificate validity periods.
Generation Y certificate hierarchy
The new Generation Y hierarchy consists of two root certificate authorities and six intermediate ones. The new certificate authorities are cross-signed by Generation X root authorities, thus maintaining trust.
At the beginning of 2026, support for TLS client authentication will be discontinued. Additionally, the classic ACME profile will be switched to the new hierarchy by default on May 13, 2026. For users who still need the tlsclient profile, it will be available until May, as it remains on Generation X certificates.
As for the reduction in the validity period of certificates, next year, the first testers and users will be able to access a 45-day certificate via tlsserver. In 2027, the validity period is planned to be reduced to 64 days, and in 2028 to 45 days. This will enable significant improvements in security by accelerating cryptographic updates and reducing the “attack window.”
Starting this week, users with short-term profiles and tlsserver will have access to Generation Y certificates.
Was this article helpful to you?
Yes
No
VPS popular offers
-10%
Linux
€ 70.49 /mo
Billed annually
-20.4%
Linux
€ 18 /mo
Billed annually
-9.5%
Windows
€ 73.99 /mo
Billed annually
-10%
Linux
€ 25.85 /mo
Billed annually
-10%
€ 28.99 /mo
Billed annually
-8.1%
Windows
€ 31.25 /mo
Billed annually
-20.2%
Windows
€ 19 /mo
Billed annually
-10%
Linux
€ 7.1 /mo
Billed annually
-10%
Linux
€ 7.7 /mo
Billed annually
-18.4%
Windows
€ 24 /mo
Billed annually
