On May 13, 2026, Let’s Encrypt will migrate to its Generation Y certificate hierarchy, marking a significant change in its operations. This transition involves switching the default ACME profile to issues from new root certificates, impacting the classic profile that most hosting operators and their customers typically use. Additionally, on this date, a new opt-in 45-day certificate option will be introduced, and client authentication certificates will be completely removed by July 8, 2026. Hosting providers must ensure that their renewal automation can handle this transition effectively.

Let’s Encrypt is the world’s largest certificate authority, issuing around ten million certificates daily as of late 2025, protecting nearly one billion websites. The significance of this transition is underscored by the fact that approximately 80% of HTTPS connections globally, and around 95% in the US, are secured by Let’s Encrypt, making this change particularly critical for many web hosts.

Understanding Generation Y

The Generation Y hierarchy consists of two new root certificate authorities and six intermediate CAs. Both roots introduce refined fields to minimize TLS handshake sizes and focus solely on server authentication, as client authentication has been dropped. Certificates from Generation Y will still be cross-signed by existing roots, ensuring compatibility with systems that trust prior arrangements unless specific intermediate certificates are pinned.

Following the introduction of named ACME profiles in January 2025, the upcoming changes will affect how certificates are issued. The classic profile will automatically switch to Generation Y intermediates, while other profiles will adapt accordingly. This means a shift to 45-day certificates for those using the “tlsserver” profile, whereas the short-lived profile will remain unchanged in its 160-hour certificate validity.

Impact on Client Authentication

Let’s Encrypt’s cards will shuffle with a new policy enacted due to a Google Chrome requirement mandating a separation of TLS client and server authentication. As such, any system using Let’s Encrypt for client authentication—such as mutual TLS configurations or XMPP server authentication—will fail after July 8. Organizations intending to use these certificates need to transition to different certification authorities ahead of this deadline.

Starting January 15, 2026, short-lived 160-hour certificates and IP address certificates were made generally available. The short-lived certificates eliminate delays related to revocation infrastructures, while IP address certificates support both IPv4 and IPv6, tied to the frequency of revalidation.

Further details on these changes can be found on the official Let’s Encrypt pages Introducing the Generation Y Certificate Hierarchy and Upcoming Changes to Let’s Encrypt Certificates.

News Team

At LowEndBox, our News and Editorial Team is dedicated to delivering timely, accurate, and actionable content tailored to the needs of developers, hosting enthusiasts, and infrastructure professionals. We curate, report, and analyze the latest developments in the world of hosting, cloud infrastructure, data centers, open-source platforms, and internet services, always with a focus on value, performance, and accessibility.

Our team monitors the global hosting landscape to bring you breaking news, vendor updates, platform changes, market trends, and expert insights. Whether it’s a price hike from a major control panel, a breakthrough in virtualization technology, or a new indie provider shaking up the market, we strive to deliver content that empowers the LowEnd community to stay informed and ahead of the curve.

We also collaborate closely with the vibrant LowEndTalk community to surface meaningful discussions, highlight real-world deployments, and share voices from within the ecosystem.

Our mission is simple: to help you make smarter infrastructure decisions by delivering the stories that matter, clearly, consistently, and without hype.

Stay tuned for fresh editorial content, in-depth analyses, and community-powered features from the team that keeps LowEndBox running.