For nearly a decade, Let’s Encrypt has focused on domain-validated certificates because, frankly, that’s how humans find websites. Translating readable names into numeric addresses via the DNS gives site operators the flexibility to relocate infrastructure without requiring certificate updates every time an IP address changes.
By contrast, IP addresses—especially the dynamic ones issued to many residential or small-business customers—tend to be ephemeral, making them a shaky foundation for long-lived credentials.
But this is about to change. As of July 1, 2025, Let’s Encrypt, a nonprofit certificate authority, has issued its first-ever IP address certificate. As you would expect, there are certain conditions for issuing this type of certificate. Here they are.
- Clients must support the ACME Profiles specification to request them.
- They’ll only be issued as short-lived certificates (valid for ~6 days), thereby reducing risks associated with IP reassignment.
- Only HTTP-01 and TLS-ALPN-01 validation methods are supported (no DNS challenges).
The feature is currently available in Let’s Encrypt’s staging environment, with a full production launch expected later in 2025 alongside broader short-lived certificate availability.
Who benefits from this? Even though Let’s Encrypt stresses that most site operators will do fine sticking with ordinary domain certificates, there are still scenarios where a numeric identifier is the only practical choice:
- Infrastructure services such as DNS-over-HTTPS (DoH) – where clients may pin a literal IP address for performance or censorship-evasion reasons.
- IoT and home-lab devices – think network-attached storage boxes, for example, living behind static WAN addresses.
- Ephemeral cloud workloads – short-lived back-end servers that spin up with public IPs faster than DNS records can propagate.
For more information, visit the official announcement. Early adopters are encouraged to test the feature and provide feedback.
