Let’s Encrypt Now Providing SSL/TLS Certificates for IP Addresses

In a significant development for internet security, Let’s Encrypt, the world’s most widely used Certificate Authority (CA), has begun issuing SSL/TLS certificates for public IP addresses.

This long-requested feature, announced earlier this year, is now available in their staging environment, with general production availability expected later in 2025.

Why IP Address Certificates Matter

Traditionally, SSL/TLS certificates are issued for domain names, as domains are the default way users access websites and online services.

However, there are several cases where certificates for IP addresses are essential:

• Direct Access: Some web administrators run services directly on public IPs, especially in cloud or IoT environments, where a domain name may not be assigned.
• Infrastructure Services: DNS over HTTPS (DoH) servers, internal microservices, or cloud backends often need secure communications using only their IP addresses.
• Fallback and Default Pages: Service providers can present a secure default page when users connect via IP instead of a site name.

Despite technical standards always allowing for IP address certs, few CAs have offered them. The main reasons are the dynamic nature of IP addresses (they can change unexpectedly and may be reassigned) and the challenge of proving ownership.

Most end-users interact via domains, and IP-level addressing is often hidden from day-to-day browsing.

Technical Requirements and Availability

Let’s Encrypt’s approach has some notable technical details:

• Short-lived Certificates: IP address certificates will be valid for only 6 days. This increases security and accommodates the transient nature of many public IP assignments.
• ACME Protocol Support: Issuance requires clients to use the ACME draft Profiles specification and explicitly request the ‘shortlived’ profile.
• Validation Methods: Only the http-01 and tls-alpn-01 challenge methods are supported. DNS-based validation is not available, as domains aren’t in use.
• Client Support: The most popular ACME client software can already request these certificates, though minor updates may be required.

Currently, Let’s Encrypt is limiting issuance to its staging environment to gather feedback and test real-world scenarios with select partners.

General availability is slated for later in 2025, coinciding with a broader rollout of short-lived certificate options.

Key Takeaways

• More Flexibility: Web administrators now have a free, trusted option for securing IP-based services without a domain name.
• Security Implications: Short certificate lifespans help mitigate risks from rapidly changing IP assignments.
• Still Best Practice: For most users, domain-based certificates remain the recommended and most convenient method for web security.

For further guidance or technical assistance, Let’s Encrypt encourages users and developers to visit their community support forums.