Security News > 2020 > March > Let's Encrypt Will Not Replace 1 Million Bug-Affected Certificates
Free and open certificate authority Let's Encrypt has decided that it will not revoke one million of the certificates affected by the recent CAA recheck bug.
A total of 3,048,289 certificates were supposed to be revoked, but Let's Encrypt ultimately decided to leave 1 million of them unreplaced at this time.
"We announced the plan to revoke because even though the vast majority of the certificates in question do not pose a security risk, industry rules require that we revoke certificates not issued in full compliance with specific standards," explains Josh Aas, executive director of ISRG, the entity behind Let's Encrypt.
Working with subscribers worldwide, Let's Encrypt was able to replace 1.7 million of the affected certificates in less than 48 hours.
The certificates offered by Let's Encrypt have a 90-day lifespan, meaning that any certificates that are potentially affected but not revoked will not be in the ecosystem for too long.