Let’s Encrypt has begun issuing SSL/TLS certificates for IP addresses, a feature long-requested by users but previously unavailable from the popular certificate authority.
This rollout marks an important expansion in Let’s Encrypt’s services, which historically focused on domain name certificates, enabling enhanced security options for use cases that require direct IP address authentication.
Technical Context of IP Address Certificates
IP addresses serve as the fundamental numerical identifiers for devices on the Internet, supporting connectivity through IPv4 and IPv6 formats such as 54.215.62.21 or 2600:1f1c:446:4900::65, respectively.
While domain names like letsencrypt.org abstract these numerical addresses for user convenience, underlying network operations depend on IP addresses for routing data packets.
Traditionally, SSL/TLS certificates have been issued for domain names because they align with user behavior and the Domain Name System (DNS), which maps human-readable domains to their associated IP addresses.
This approach provides flexibility, allowing services to shift IP addresses without invalidating certificates.
Despite the technical standards permitting certificates for IP addresses, their issuance has been rare due to numerous challenges.
IP addresses can change frequently, especially dynamically assigned addresses used in residential or cloud environments, complicating ownership validation and certificate lifecycle management.
Additionally, since most users access services via domains, certificates tied solely to IP addresses have limited applicability.
Furthermore, infrastructural configurations like shared IP hosting can render IP-based certificates less practical.
Practical Use Cases
According to the Report, Let’s Encrypt’s decision to offer IP address certificates addresses niche but critical scenarios where direct IP authentication is necessary or more convenient.
Examples include default web landing pages on hosting providers accessed by IP, websites without a registered domain name, securing DNS over HTTPS (DoH) services where IP-level identity confirmation strengthens client-server trust, and securing remote access to home or IoT devices lacking domains.
It also supports ephemeral cloud infrastructure connections where back-end servers may not have persistent DNS entries but do have stable public IP addresses.
To maintain security and practical manageability, Let’s Encrypt restricts IP address certificates to short-lived validity periods of about six days.
This approach encourages automation and rapid renewal, aligning with modern certificate management best practices.
The certificates require the use of ACME clients supporting the draft ACME Profiles specification, specifically configured for the short-lived profile.
Importantly, the DNS challenge method for domain validation is not supported for IPs; only HTTP-01 and TLS-ALPN-01 challenge methods are permitted to verify control over the IP address.
Currently, these IP address certificates are available in Let’s Encrypt’s Staging environment for testing and development.
The general production rollout is planned for later in 2025, coinciding with the broader release of short-lived certificates.
Prior to full availability, select partners may receive allow-listed access to provide feedback and help refine the service.
Users and developers requiring IP address certificates should verify that their ACME clients accommodate these policy and technical requirements, updating or reconfiguring client software as needed.
Let’s Encrypt continues to invite engagement through its community forums to assist with implementation challenges and encourage adoption of the new capability.
Overall, providing SSL/TLS certificates for IP addresses expands the flexibility and security options available to Internet operators, helping secure a broader range of services in today’s diverse and evolving online ecosystem.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
