Let’s Encrypt, the non-profit certificate authority, has begun issuing certificates for IP addresses after years of requests for this capability.
Until now, Let’s Encrypt issued certificates only for domain names, forcing those who needed certificates for raw IP addresses to turn to the small number of alternative certificate authorities that offered that option.
IP addresses underpin the internet, but most users interact with services via domain names. The Domain Name System (DNS) translates human-friendly names into the numerical IP addresses that machines use to route traffic.
Historically, SSL/TLS certificates target domain names because they reflect how users identify and reach services. Domain-based certificates also offer operational flexibility: services can change hosting, load-balance across multiple servers, or move IPs without replacing certificates tied to a name.
Why IP address certificates matter
Although most organizations won’t need certificates for IP addresses, they are important in specific scenarios. IP address certificates support more secure infrastructure operations, particularly in cloud environments and certain IoT deployments where using domain names is impractical.
Several factors have made IP address certificates uncommon. IP assignments can be ephemeral: many consumer and even some cloud addresses change over time, which complicates certificate lifecycle management. Ownership of IP addresses can also be less permanent or clear than domain ownership. Finally, most services expect users to connect via domain names, so certificates bound to raw IPs haven’t been a priority.
Despite these concerns, Let’s Encrypt highlights several practical uses for IP-based certificates:
- Hosting providers can secure default pages that load when users visit a server’s IP directly, replacing insecure or confusing error pages with a proper secure response.
- Entities without domain names can secure services accessible at an IP, with some limitations compared to domain-based certificates.
- Infrastructure services such as DNS over HTTPS (DoH) can strengthen identity verification by presenting certificates tied to their IP endpoints.
- Home and small-office devices—like network-attached storage or certain IoT appliances—can be secured even when no domain name is associated.
- Cloud environments can use short-lived IP certificates to secure ephemeral backend connections or administrative access to transient instances.
Technical implementation
Let’s Encrypt has set specific constraints for IP address certificates. Most notably, these certificates will be short-lived—valid for roughly six days—to address concerns about changing IP assignments and to limit exposure from stale credentials.
Short validity periods reduce the risk associated with reassigned IPs and generally lower the attack surface by limiting how long a compromised certificate remains valid.
At present, IP address certificates are available in Let’s Encrypt’s staging environment. Production release is expected later in 2025, aligned with the broader rollout of short-lived certificate support. Before general availability, Let’s Encrypt will collaborate with selected partners to collect feedback and refine the offering.
To request IP address certificates, ACME clients must support the draft ACME Profiles specification and be configured for the short-lived profile. Requesters must validate control of the IP using either the http-01 or tls-alpn-01 challenge methods; DNS-based challenges are not applicable for IP addresses.
Many existing Let’s Encrypt client implementations should already be able to request IP address certificates, though some clients may require updates or configuration changes to meet the new requirements.
This expansion allows Let’s Encrypt to address specific technical needs while preserving its mission to provide free, automated, and open certificate services to the broader internet community.
(Image by Mohamed Hassan)
See also: ISAC will turn 6G networks into a giant radar system
Looking to revamp your digital transformation strategy? Learn about Digital Transformation Week, held in Amsterdam, California, and London, co-located with events focused on IoT, AI & Big Data, Cybersecurity & Cloud, and other enterprise technology topics.
Explore upcoming enterprise technology events and webinars powered by TechForge for additional learning and networking opportunities.