Let’s Encrypt begins issuing IP address certificates

Let’s Encrypt, the non-profit certificate authority, is now issuing certificates for IP addresses following years of requests for the feature.

The certificate authority previously only issued certificates for domain names, forcing users requiring IP address certificates to seek alternatives from the limited number of certificate authorities offering this option.

While IP addresses are fundamental to internet infrastructure, most users rarely interact with them directly and instead use domain names. The Domain Name System (DNS) functions behind the scenes to translate these human-readable domain names into their corresponding IP addresses.

Traditionally, SSL/TLS certificates have been issued for domain names rather than IP addresses because they represent how users typically identify and access online services. Domain names also offer more flexibility, allowing services to change their hosting location or use multiple servers without requiring new certificates.

Why IP address certificates matter

While most organisations won’t need IP address certificates, they’re crucial for specific applications. They enable more secure infrastructure operations, especially in cloud environments and for IoT deployments where domain names may not be practical.

IP address certificates have been less common for several reasons. First, the ephemeral nature of IP addresses makes them less stable identifiers than domain names. Many internet users – particularly those with residential connections – have dynamic addresses that change periodically, complicating certificate management.

Second, the ownership of IP addresses is often temporary and less definitive than domain ownership. Finally, most online services don’t expect users to connect directly via IP address, making certificates for these addresses unnecessary in typical scenarios.

Despite these limitations, Let’s Encrypt has identified several valuable applications for IP address certificates:

• Hosting providers can now secure default pages that appear when users enter a server’s IP address directly into their browser, replacing error messages with secure content.

• Users without domain names can secure their websites, albeit with some limitations compared to domain-based solutions.

• DNS over HTTPS (DoH) and other infrastructure services can establish more secure connections, as certificates make it easier for DoH servers to verify their identity to clients.

• Home devices such as network-attached storage servers and IoT devices can be secured even without associated domain names.

• Cloud infrastructure can benefit from secured ephemeral connections between back-end servers or for administrative access to short-lived servers.

Technical implementation

Let’s Encrypt has placed specific requirements on IP address certificates, most notably that they must be short-lived, with a validity period of only about six days. This requirement addresses the concerns about the changing nature of IP address assignments.

Short-lived certificates represent a more secure approach. The brief validity period mitigates risks associated with IP address reassignments and reduces the potential attack surface.

Currently, IP address certificates are available in Let’s Encrypt’s staging environment, with production availability expected later in 2025, coinciding with the general release of short-lived certificates. Prior to full availability, Let’s Encrypt plans to work with selected partners to gather feedback.

Users seeking these certificates must ensure their ACME client software supports the draft ACME Profiles specification and is configured for the short-lived profile. Additionally, certificate requesters must use either the http-01 or tls-alpn-01 challenge methods to prove control over the IP address, as DNS challenges are not applicable in this context.

While many Let’s Encrypt client applications should already support requesting certificates for IP addresses, some may require updates or configuration changes to accommodate the new requirements.

This expansion of Let’s Encrypt’s offerings to support IP address certificates addresses specific needs within the technical community while maintaining the organisation’s commitment to providing free, automated, and open certificate services.

(Image by Mohamed Hassan)

See also: ISAC will turn 6G networks into a giant radar system

Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place in Amsterdam, California, and London. The comprehensive event is co-located with IoT Tech Expo, AI & Big Data Expo, Cyber Security & Cloud Expo, and other leading events.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: broadband, certificates, let’s encrypt, Security, telecoms