Let’s Encrypt Started to Issue SSL/TLS Certificate for IP Address

Let’s Encrypt, the world’s largest certificate authority, has achieved a significant milestone by issuing its first SSL/TLS certificate for an IP address on July 1, 2025.

This development marks a substantial shift in the certificate ecosystem, as IP address certificates have historically been available from only a handful of certificate authorities on a limited scale.

The move addresses a decade-long demand from users who have repeatedly requested this capability since Let’s Encrypt began operations in 2015.

The introduction of IP address certificates represents a strategic expansion of Let’s Encrypt’s service portfolio, complementing their existing domain-based certificate offerings.

Unlike traditional domain certificates that rely on DNS validation, IP address certificates present unique technical challenges related to ownership verification and dynamic address allocation.

Most Internet users interact with services through domain names like letsencrypt.org rather than numerical addresses such as 54.215.62.21 (IPv4) or 2600:1f1c:446:4900::65 (IPv6), making IP certificates a specialized but crucial infrastructure component.

The new certificate type addresses several critical use cases within modern Internet infrastructure. Hosting providers can now offer secured default pages when users accidentally access servers via IP addresses, eliminating browser security warnings.

Additionally, the certificates enable secure DNS over HTTPS (DoH) implementations, allowing DoH servers to authenticate their identities more effectively to clients.

Let’s Encrypt analysts identified these scenarios as particularly valuable for cloud infrastructure providers managing ephemeral connections between backend servers and Internet-of-Things device manufacturers requiring secure remote access capabilities.

Technical Implementation and Security Framework

The technical implementation of IP address certificates introduces stringent security requirements that differ significantly from standard domain certificates.

Let’s Encrypt mandates that all IP address certificates must be short-lived, with validity periods limited to approximately six days.

This policy addresses the inherent security risks associated with IP address ownership, particularly the dynamic nature of IP allocation by Internet service providers.

The certificate issuance process requires ACME clients to support the draft ACME Profiles specification and explicitly request the “shortlived” profile.

The validation process excludes DNS challenge methods, restricting authentication to http-01 and tls-alpn-01 challenge types.

This limitation ensures that certificate requesters demonstrate actual control over the IP address through HTTP or TLS protocols rather than DNS manipulation.

Currently available in staging environments, the service will transition to production availability later in 2025, coinciding with the general release of short-lived certificate functionality.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now