Public Sector TLS Trends, Week of 2026-05-26
Bill Church
May 26, 2026
Twelve .mil hosts that shared a 2026-06-03 Let’s Encrypt expiration all rotated on the same day to a new synchronized 2026-08-17 expiry. The batch renewal confirms the single-CDN-tenant issuance pattern flagged in the OCSP deep-dive: these are not twelve independent cert management decisions, but one Akamai automation running across a dozen DoD public web properties.
Headline numbers
| Metric | Prior week | This week | Delta |
|---|---|---|---|
| Reachable hosts | 104 | 104 | +0 |
| OCSP URL present | 66 | 66 | +0 |
| CRL URL present | 101 | 101 | +0 |
| Let’s Encrypt leaves | 34 | 34 | +0 |
| Validity > 200 days | 39 | 37 | -2 |
| Validity <= 100 days | 50 | 50 | +0 |
The headline counters held flat across every dimension except the validity cliff, which dropped by 2 as a cabinet-level civilian agency and a DIB services contractor each renewed from grandfathered 364+ day certs down to 198 days. Over the three-capture trendline since the 2026-05-11 refresh, validity over 200 days has fallen from 42 to 37: five fewer legacy leaves in the dataset, all replaced at SC-081v3-compliant windows. No movement in the other direction. OCSP and CRL coverage held steady; the Let’s Encrypt share is unchanged. Comparison window: 2026-05-17 to 2026-05-26.
What rotated this week
Twenty-one leaves rotated in the nine-day window between captures, the highest single-week count in the series. Twelve of those are the .mil batch.
- The .mil batch rotation. Twelve .mil hosts on the Akamai/Let’s Encrypt tenant rotated simultaneously from a 2026-06-03 expiry to a 2026-08-17 expiry. All twelve share the same Not Before date (2026-05-19), the same Let’s Encrypt R12 intermediate, and the same 89-day validity. The prior batch carried the same structure: identical issuance day, identical expiry, identical CA intermediate. This is the second consecutive synchronized rotation for this cohort, and it pushes the batch-issuance claim from “strong inference” to “confirmed pattern.”
- A cabinet-level civilian energy agency renewed from a 391-day Entrust leaf to a 198-day Entrust leaf, switching Entrust intermediates in the process (from the SSL Corporation-branded CA 1 to the Entrust Limited-branded CA 2). The agency stayed in the Entrust issuer family despite the ongoing root-program uncertainty around Entrust in Mozilla and Chrome. Validity dropped by 193 days, landing cleanly under the SC-081v3 200-day cap.
- A DIB services contractor whose 364-day DigiCert leaf we flagged last week as expiring 2026-05-19 renewed at 198 days on the same DigiCert G2 RSA issuer. This is the first DIB-sector leaf in the dataset to step down from grandfathered validity to the SC-081v3 cap, extending the pattern that appeared in the civilian cohort two weeks ago.
- Four civilian sites and one DIB prime rotated short-validity leaves on Google Trust Services and Let’s Encrypt on schedule. No posture changes across any of those rotations. A Fastly-fronted DIB services site refreshed its 29-day Certainly leaf, also routine. One .mil combatant command site rotated within the Microsoft TLS intermediate family at 180-day validity.
Tailwind Assessment: The .mil batch rotation is now a confirmed two-cycle pattern. Twelve hosts, one CDN tenant, one issuance event, one expiration cliff. Any disruption to that Akamai/Let’s Encrypt automation (CA policy change, contract transition, ACME failure) would leave a dozen defense web properties exposed simultaneously. Operators managing similar CDN-level cert automation should verify their monitoring covers batch failure, not just individual host expiry.
Expirations and renewals
One leaf in the dataset expires inside the next 14 days: a DIB prime on a 29-day Certainly cert expiring 2026-06-09, which will rotate routinely through Fastly.
The more interesting upcoming expirations sit in the three-to-five-week window. A DIB prime on a 396-day DigiCert leaf expires 2026-06-28. A GSE-sector postal site on a 365-day Sectigo OV leaf expires 2026-06-26. The renewal decisions at those two sites will show whether SC-081v3-compliant validity is propagating beyond the civilian cabinet and DIB services tiers where we have already seen it land.
The longest-duration Entrust leaves at civilian cabinet sites remain unrotated. One cabinet-level finance site carries a 396-day Entrust leaf expiring 2026-11-08; the question remains whether that operator moves off Entrust before natural expiry or waits for the forced renewal.
What to watch next week
- The GSE postal site (Sectigo OV, 365 days, expires 2026-06-26) and the DIB prime (DigiCert, 396 days, expires 2026-06-28). A 198-day renewal at either confirms SC-081v3 momentum in sectors that have not yet shown it.
- Whether any CA in the dataset besides Let’s Encrypt and Certainly drops OCSP URLs from its default issuance profile. None has yet.
- The new .mil batch expiration of 2026-08-17 is 83 days out. If the pattern holds, the next synchronized rotation should fall around late July.
Methodology in Issue 0.
