Let's Encrypt details changes to certificate issuance, including new certificate chains, removal of Client Authentication EKU, and shorter certificate validity periods.

Let's Encrypt has announced details of its overall policy regarding certificates issued going forward, including 'certificate chain renewal,' 'removal of TLS client authentication EKU (Enhanced Key Usage) ,' and 'gradually shortening certificate validity periods.' However, most users will generally not need to take any additional action.

Upcoming Changes to Let's Encrypt Certificates - API Announcements - Let's Encrypt Community Support
https://community.letsencrypt.org/t/upcoming-changes-to-let-s-encrypt-certificates/243873

First, certificate validity periods will be shortened in accordance with changes in CA/B Forum requirements. Specifically, 45-day certificates will be available for opt-in use in the tlsserver profile in 2026, and the default certificate validity period will be shortened to 64 days in 2027 and further to 45 days in 2028. Details are summarized in the article below.

Let's Encrypt announces that it will reduce the validity period of its certificates to 45 days - GIGAZINE

The certificate chain will then move from the previous 'Generation X' to 'Generation Y,' which will consist of two new root certificate authorities and six intermediate certificate authorities.

The Generation Y certificates are cross-signed by the Generation X root certificate authority and are designed to continue to work in current environments. The default classic profile, which is used by many users, will be switched to Generation Y on May 13, 2026.

Additionally, Generation Y intermediate certificates will not include the TLS Client Authentication EKU. The provision of certificates with the TLS Client Authentication EKU will begin to be phased out in February 2026, coinciding with the switch to Generation Y. If compatibility issues arise or a grace period is required, the tlsclient profile will remain available until May 2026. This tlsclient profile will continue to use Generation X.

Starting in the third week of December 2025, certificates from Generation Y will be issued to those requesting a certificate with a tlsserver or shortlived profile. Short-lived certificates with a validity period of six days will be generally available on an opt-in basis. Additionally, certificates will be issued for servers accessed by specifying an IP address instead of a domain name.

'We're rolling out changes gradually, leveraging ACME profiles to give users control over when these changes take effect. Most users won't need to do anything,' said Matthew McFerrin, site reliability engineer at Let's Encrypt.