On July 1, 2025, Let’s Encrypt, the world’s largest certificate authority, achieved a significant milestone by issuing its first SSL/TLS certificate for an IP address. This development marks a substantial shift in the certificate ecosystem, as IP address certificates have historically been available from only a handful of certificate authorities on a limited scale.
Since its inception in 2015, Let’s Encrypt has been at the forefront of promoting secure web communications by providing free, automated, and open certificate authority services. The introduction of IP address certificates addresses a decade-long demand from users who have repeatedly requested this capability.
Understanding IP Address Certificates
Traditionally, SSL/TLS certificates are issued for domain names, ensuring that communications between users and websites are encrypted and secure. However, certain scenarios necessitate securing communications directly to an IP address without an associated domain name. This is particularly relevant for services that operate directly over IP addresses or in environments where domain names are not practical.
The introduction of IP address certificates by Let’s Encrypt represents a strategic expansion of their service portfolio, complementing their existing domain-based certificate offerings. Unlike traditional domain certificates that rely on DNS validation, IP address certificates present unique technical challenges related to ownership verification and dynamic address allocation.
Use Cases and Benefits
The new certificate type addresses several critical use cases within modern Internet infrastructure:
1. Hosting Providers: They can now offer secured default pages when users accidentally access servers via IP addresses, eliminating browser security warnings.
2. DNS over HTTPS (DoH) Implementations: The certificates enable secure DoH implementations, allowing DoH servers to authenticate their identities more effectively to clients.
3. Cloud Infrastructure Providers: Managing ephemeral connections between backend servers becomes more secure with IP address certificates.
4. Internet-of-Things (IoT) Device Manufacturers: They can ensure secure remote access capabilities for their devices.
These scenarios are particularly valuable for enhancing security and trust in various online interactions.
Technical Implementation and Security Framework
The technical implementation of IP address certificates introduces stringent security requirements that differ significantly from standard domain certificates:
– Short-Lived Certificates: All IP address certificates must be short-lived, with validity periods limited to approximately six days. This policy addresses the inherent security risks associated with IP address ownership, particularly the dynamic nature of IP allocation by Internet service providers.
– ACME Client Requirements: The certificate issuance process requires ACME clients to support the draft ACME Profiles specification and explicitly request the shortlived profile.
– Validation Process: The validation process excludes DNS challenge methods, restricting authentication to http-01 and tls-alpn-01 challenge types. This limitation ensures that certificate requesters demonstrate actual control over the IP address through HTTP or TLS protocols rather than DNS manipulation.
Currently available in staging environments, the service will transition to production availability later in 2025, coinciding with the general release of short-lived certificate functionality.
Conclusion
Let’s Encrypt’s decision to issue SSL/TLS certificates for IP addresses marks a significant advancement in the realm of internet security. By addressing longstanding user requests and expanding their service offerings, Let’s Encrypt continues to play a pivotal role in promoting secure and encrypted communications across the web.
