This technical article examines X.509 certificate revocation practices in light of recent changes by the CAB Forum and Let's Encrypt. It explains PKI fundamentals—how digital certificates establish trust between unknown parties—and discusses the mechanisms for revoking certificates before expiration (CRL, OCSP). Recent policy changes, including Let's Encrypt's shift to 90-day certificate validity and upcoming May 2026 changes, have fundamentally altered how domain name certificates are managed and validated.
Infrastructure
Revocation of X.509 certificates
Let's Encrypt and the CAB Forum are reshaping X.509 revocation by adopting shorter certificate lifespans (90 days) and May 2026 policy changes that reduce reliance on traditional CRL/OCSP mechanisms.
Saturday, April 25, 2026 12:00 PM UTC2 MIN READSOURCE: LobstersBY sys://pipeline
Tags
infrastructure