Public Sector TLS Trends, Bi-Weekly Update for 2026-06-09
Bill Church
June 9, 2026
A scheduling note before the data: this series moves to a bi-weekly cadence starting with this issue. The capture window doubles to two weeks, the headline table and chart stay the same, and the comparison runs capture-to-capture across fourteen days rather than seven. The next update lands the week of 2026-06-23.
Two weeks ago this tracker flagged a GSE-sector postal site on a 365-day Sectigo OV leaf, expiring 2026-06-26, as the next test of whether the SC-081v3 validity cap was reaching sectors that had not yet moved. It renewed at 198 days. The cap reached the next cohort on schedule, and it did not arrive alone: two civilian cabinet-level sites stepped down in the same window, and the count of leaves carrying more than 200 days of validity fell from 37 to 34.
Headline numbers
| Metric | 2026-05-26 | 2026-06-09 | Delta |
|---|---|---|---|
| Reachable hosts | 104 | 104 | +0 |
| OCSP URL present | 66 | 65 | -1 |
| CRL URL present | 101 | 101 | +0 |
| Let’s Encrypt leaves | 34 | 35 | +1 |
| Validity > 200 days | 37 | 34 | -3 |
| Validity <= 100 days | 50 | 49 | -1 |
The validity cliff is the story again. Leaves over 200 days have now fallen across four consecutive captures: 42 at the 2026-05-11 refresh, then 39, then 37, now 34. Eight grandfathered leaves retired to compliant windows in a month, with none moving the other way. The dataset is also converging on 198 days from two directions. Three long-validity leaves stepped down to 198 this window, and one civilian health agency that had been sitting on an 88-day leaf renewed up to 198. The SC-081v3 ceiling is becoming the default target, not just a line that long certs fall under.
OCSP URL coverage slipped by one to 65, matching the series low last seen at the 2026-05-11 capture. The cause this time differs from a routine short-cert refresh, and it earns a paragraph of its own below.
What rotated this window
Fourteen leaves rotated across the two-week window.
- The validity cap reached the postal sector. The GSE-sector postal site flagged in the prior tracker renewed from a 365-day Sectigo OV leaf to 198 days on the same Sectigo OV issuer. This is the first GSE-sector step-down in the series, and it lands the prediction made two weeks ago. A cabinet-level civilian agency dropped from a 391-day DigiCert leaf to 198 in the same window, and a civilian financial-regulator site dropped from a 365-day DigiCert ECC leaf to 198. All three landed cleanly under the cap.
- A CA migration, not a new deployment, drove the OCSP loss. A legislative-branch civilian site moved its leaf off Google Trust Services and onto Let’s Encrypt. The new Let’s Encrypt leaf carries no OCSP URL, so OCSP coverage fell by one and the Let’s Encrypt leaf count rose by one in the same rotation. Every earlier increase in the no-OCSP cohort came from sites that were already on Let’s Encrypt. This is the first time the tracker has watched a site cross CA families into the post-OCSP set.
- Let’s Encrypt is rotating onto a new intermediate generation. Three Let’s Encrypt leaves (one civilian, two .mil) rotated onto previously unseen Let’s Encrypt intermediate CAs, a naming generation distinct from the R12, R13, E7, and E8 intermediates the dataset has tracked so far. The issuer strings changed; the posture did not. The new intermediates ship the same no-OCSP, CRL-present profile as the old ones.
- Routine refreshes. Fastly rotated its own 29-day Certainly leaf on schedule, clean as always. Two DIB sites on 29-day Certainly leaves and several civilian sites on Google Trust Services and DigiCert refreshed with no posture change. One large civilian health-sector property moved from agency-hosted nginx to Cloudflare between captures.
Tailwind Assessment: The no-OCSP cohort now grows by two distinct mechanisms. The first is new Let’s Encrypt issuance, which the series has tracked since Issue 0. The second, visible for the first time this window, is an existing site migrating CA families into Let’s Encrypt and dropping its OCSP URL in the process. Operators who assume their revocation posture is fixed at deployment should note that a routine CA change can move a site into the structurally uncheckable set without anyone deciding to make that trade.
Expirations and renewals
No leaf in the dataset expires inside the next 14 days. The nearest is a DIB prime on a 396-day DigiCert leaf expiring 2026-06-28, the same leaf flagged in the prior tracker and still unrotated. A second DIB prime on a 378-day DigiCert leaf expires 2026-07-08. Those two renewals are the next test of whether the validity cap is propagating into the DIB prime tier, which has not yet shown a step-down.
On the civilian side, three cabinet and independent-agency leaves remain in the Entrust issuer family, the longest a 396-day leaf expiring 2026-11-08. The Entrust root-program uncertainty in Mozilla and Chrome still overlays those renewals. Those operators can move off Entrust before natural expiry or wait for the forced renewal; which path they take is unresolved.
What to watch next update
- The two DIB primes on 396-day and 378-day DigiCert leaves (expiring 2026-06-28 and 2026-07-08). A 198-day renewal at either is the first DIB-prime step-down in the series.
- Whether the new Let’s Encrypt intermediate generation spreads to more of the .mil Akamai cohort at its next synchronized rotation, expected late July.
- Any further CA migrations that move sites into the no-OCSP cohort, now that the mechanism has appeared once.
Methodology in Issue 0.
