Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The CA/Browser Forum set 47-day certificates as target for 2029. Let’s Encrypt decided to implement it a year earlier. In December 2025, Let’s Encrypt announced their roadmap to cut certificate lifetimes from 90 days to 45 days by February 2028, a full year ahead of the industry mandate. It’s exactly what we’d expect from the CA that made automation mandatory from day one.

When you’re managing a handful of certificates, one big list works fine. Add a few dozen more and things get messy. Add multiple teams or projects and you’ve got a problem. Who should have access to the production certificates? What about staging? Does the contractor working on the marketing site really need to see your internal infrastructure? CertKit now supports multiple applications from our roadmap to help you sort this out.

It seems like every service wants proof you control your domain. Certificate authorities need it to issue certificates. Email platforms need it to authorize sending. Analytics needs it to gather data. Just add this magic TXT record to your DNS, wait for propagation, click verify. It works fine when it’s a one-time setup, but certificate lifetimes are dropping to 47 days, and you won’t be able to keep up on that schedule.

We just published the CertKit roadmap.

There’s a particular flavor of skepticism that shows up whenever someone suggests using Let’s Encrypt. The security team crosses their arms. “Free certificates? For production? We’re a serious organization. We use Sectigo.” I get it. You’ve been buying certificates from the same vendors for twenty years. They send you invoices, you pay them, certificates appear. It feels responsible, and free feels like a trap. But is it?

With the ACME protocol, to issue a certificate you have to prove you control the domain. The CA gives you a challenge, you complete it, and they issue your cert. The trouble is that every validation method has tradeoffs. And as certificate lifetimes get shorter, those tradeoffs will get more painful. DNS-PERSIST-01 is a new approach coming in 2026 that trades proof-of-freshness for easier operations.

You’ve used wildcard certificates for years. It made your life easier. Once a year you’d renew your wildcard certificate, and copy it around to all the servers. It was way too complicated and expensive to get a unique certificate for every system. But now certificate lifetimes are shrinking to 47 days by 2029 and it’s not going to work anymore. You need to automate your certificates. Soon.

We shipped some big updates this week!

In 2015, only about 40% of websites used HTTPS. Today HTTPS is used over 95% of the time. The ACME protocol made that shift possible. The Automatic Certificate Management Environment (ACME) protocol enables software to automatically prove domain control to a certificate authority without any human involvement. No more generating CSRs by hand. No more copy-pasting into web forms. No more waiting for validation emails. ACME largely solved certificate issuance.

For twenty years, a stolen private key was a disaster. It meant total compromise. Every encrypted conversation, password transmitted, API call ever made was readable. Traffic was being recorded all the time, “just in case” your private key leaked out. The NSA even had a name for it: “harvest now, decrypt later.” Record all the encrypted traffic today. Steal the private keys tomorrow. Decrypt everything retroactively.