Let’s Encrypt Begins Supporting IP Address Certificates

Let’s Encrypt begins issuing IP address certificates, expanding support beyond domain names to cater to specialized use cases, such as DoH and home devices.

For nearly a decade, Let’s Encrypt has focused on domain-validated certificates because, frankly, that’s how humans find websites. Translating readable names into numeric addresses via the DNS gives site operators the flexibility to relocate infrastructure without requiring certificate updates every time an IP address changes.

By contrast, IP addresses—especially the dynamic ones issued to many residential or small-business customers—tend to be ephemeral, making them a shaky foundation for long-lived credentials.

But this is about to change. As of July 1, 2025, Let’s Encrypt, a nonprofit certificate authority, has issued its first-ever IP address certificate. As you would expect, there are certain conditions for issuing this type of certificate. Here they are.

  • Clients must support the ACME Profiles specification to request them.
  • They’ll only be issued as short-lived certificates (valid for ~6 days), thereby reducing risks associated with IP reassignment.
  • Only HTTP-01 and TLS-ALPN-01 validation methods are supported (no DNS challenges).

The feature is currently available in Let’s Encrypt’s staging environment, with a full production launch expected later in 2025 alongside broader short-lived certificate availability.

Who benefits from this? Even though Let’s Encrypt stresses that most site operators will do fine sticking with ordinary domain certificates, there are still scenarios where a numeric identifier is the only practical choice:

  • Infrastructure services such as DNS-over-HTTPS (DoH) – where clients may pin a literal IP address for performance or censorship-evasion reasons.
  • IoT and home-lab devices – think network-attached storage boxes, for example, living behind static WAN addresses.
  • Ephemeral cloud workloads – short-lived back-end servers that spin up with public IPs faster than DNS records can propagate.

For more information, visit the official announcement. Early adopters are encouraged to test the feature and provide feedback.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Leave a Reply

Your email address will not be published. Required fields are marked *