Let's Encrypt Issues First IP Address Certificate

Figure 1: Visual representation of the BeyondTrust vulnerability chain

On July 1, 2025, Let's Encrypt began issuing TLS certificates for IP addresses to a subset of its subscribers. The first certificate was logged in the Certificate Transparency system, providing public verification of the issuance.

The rollout follows a timeline established in January 2025:

• January 16, 2025: Let's Encrypt announced plans for IP address certificates and six-day certificate lifetimes
• February 2025: Internal testing of IP address certificates began
• April 2025: Early adopter access to IP address certificates
• July 1, 2025: First public IP address certificate issued
• End of 2025: Targeted general availability

According to the Let's Encrypt blog post, the organization is gradually increasing the percentage of eligible subscribers who can obtain IP address certificates. The phased approach allows the organization to monitor for issues and ensure system stability.

Let's Encrypt made several technical claims regarding IP address certificate issuance:

Short-lived certificate requirement: IP address certificates must have a maximum validity period of six days. According to the January 2025 announcement, this requirement stems from the CA/Browser Forum Baseline Requirements, which mandate shorter lifetimes for IP address certificates compared to domain name certificates.

Validation method restrictions: The organization confirmed that IP address validation is limited to http-01 and tls-alpn-01 challenge methods. The dns-01 challenge, commonly used for wildcard certificates and other scenarios, cannot be applied to IP address validation because IP addresses do not have associated DNS records in the traditional sense.

ACME Profiles implementation: The technical implementation relies on the draft-ietf-acme-profiles-00 specification. According to the IETF datatracker, this specification has been implemented by the Boulder and Pebble ACME servers (both developed by ISRG) and seven ACME client implementations.

Certificate Transparency logging: The first IP address certificate was logged with crt.sh ID 19376952215, providing public auditability of the issuance.

Figure 2: How the authentication bypass vulnerability works

Simplified infrastructure for IP-based services: Organizations operating services that are accessed directly by IP address, rather than domain name, can now obtain free TLS certificates. Use cases include internal infrastructure, development environments, and services where DNS is unavailable or impractical.

Reduced cost for certificate acquisition: Prior to Let's Encrypt's support, obtaining certificates for IP addresses required purchasing from commercial certificate authorities. Free issuance removes this cost barrier.

Automated certificate management: The ACME protocol enables automated certificate renewal, reducing operational overhead for organizations managing IP address certificates. Given the six-day validity period, automation becomes essential rather than optional.

Improved security posture: Services previously operating without TLS due to the complexity or cost of obtaining IP address certificates can now implement encrypted connections.

Six-day validity period: The short certificate lifetime requires robust automation for renewal. Organizations without mature certificate management infrastructure may struggle to maintain continuous service availability.

Limited validation methods: The restriction to http-01 and tls-alpn-01 challenges means that some deployment scenarios supported for domain name certificates are not available for IP addresses. Organizations relying on dns-01 challenges for their existing certificate management workflows will need to implement alternative validation methods.

Gradual rollout: As of July 1, 2025, IP address certificates are not available to all Let's Encrypt subscribers. Organizations requiring immediate access may need to wait for expanded availability or seek alternative certificate authorities.

IPv4 address exhaustion considerations: The finite nature of IPv4 addresses raises questions about the long-term applicability of IP address certificates. IPv6 adoption may change the landscape for IP-based certificate issuance.

No wildcard equivalent: Unlike domain name certificates, which can cover multiple subdomains with a single wildcard certificate, IP address certificates must be issued individually for each address.

Figure 3: Privilege escalation from user to SYSTEM level

Let's Encrypt's IP address certificate issuance builds on the Automatic Certificate Management Environment (ACME) protocol, the same protocol used for domain name certificate issuance.

ACME Profiles: The draft-ietf-acme-profiles specification extends ACME to support multiple certificate profiles. When a client requests a certificate, it can specify which profile to use. Let's Encrypt currently offers three profiles: the default profile for standard domain name certificates, a short-lived profile for six-day certificates, and an IP address profile for certificates covering IP addresses rather than domain names.

Validation process: For IP address certificates, the subscriber must demonstrate control over the IP address through one of two challenge methods:

The http-01 challenge requires the subscriber to place a specific file at a well-known URL path on a web server listening on the IP address. Let's Encrypt's validation servers then retrieve this file to confirm control.

The tls-alpn-01 challenge requires the subscriber to configure a TLS server on the IP address to present a specific self-signed certificate during the TLS handshake. This method is useful when port 80 is unavailable or blocked.

Certificate format: IP address certificates use the iPAddress field in the Subject Alternative Name (SAN) extension, rather than the dNSName field used for domain name certificates. The certificate otherwise follows standard X.509 format.

Technical context (optional): The six-day validity period aligns with emerging industry trends toward shorter certificate lifetimes. Shorter validity periods reduce the window of exposure if a private key is compromised and encourage automation of certificate management. The CA/Browser Forum has been discussing reduced maximum validity periods for all certificates, with some proposals suggesting 90-day or even shorter lifetimes as future requirements.

Let's Encrypt's IP address certificate support represents a continuation of the organization's mission to make TLS encryption universally accessible. Since its founding in 2014 and public launch in 2015, Let's Encrypt has issued billions of certificates and fundamentally changed the economics of TLS deployment.

The addition of IP address certificates addresses a gap in the free certificate ecosystem. While domain name certificates have been freely available through Let's Encrypt for nearly a decade, IP address certificates remained a paid service from commercial certificate authorities.

The ACME Profiles specification, developed to enable IP address certificates, provides a framework for future certificate profile additions. The specification's adoption by multiple ACME clients suggests that the ecosystem is prepared to support new certificate types as they become available.

The short-lived certificate requirement for IP addresses may serve as a testing ground for broader adoption of reduced certificate lifetimes. Let's Encrypt's experience with six-day IP address certificates could inform future decisions about default certificate validity periods.

Several aspects of Let's Encrypt's IP address certificate program remain to be determined:

Rollout timeline: The organization has not published a specific schedule for expanding IP address certificate availability beyond the initial subset of subscribers.

Usage statistics: As of July 1, 2025, no data is available on the volume of IP address certificate requests or the types of use cases being served.

IPv6 support: While the technical specifications support IPv6 addresses, the practical deployment and any IPv6-specific considerations have not been detailed.

Rate limits: Let's Encrypt applies rate limits to certificate issuance to prevent abuse. The specific rate limits for IP address certificates, and whether they differ from domain name certificate limits, have not been published.

Expanded availability: Let's Encrypt has indicated plans to increase the percentage of subscribers eligible for IP address certificates. Announcements regarding expanded access will signal progress toward general availability.

IETF standardization: The ACME Profiles specification is currently a draft. Progress toward RFC status would indicate broader industry consensus on the approach.

Client implementation updates: ACME client software updates to support IP address certificate requests will determine how easily organizations can adopt the new capability.

CA/Browser Forum discussions: Ongoing discussions about certificate validity periods and IP address certificate requirements may affect Let's Encrypt's implementation.

Usage patterns: As more organizations obtain IP address certificates, patterns in use cases and deployment scenarios will emerge, potentially informing future development priorities.

1. Let's Encrypt Blog, "Issuing Our First IP Address Certificate," July 1, 2025. https://letsencrypt.org/2025/07/01/issuing-our-first-ip-address-certificate.html

2. Let's Encrypt Blog, "Six-Day and IP Address Certificates," January 16, 2025. https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/

3. IETF Datatracker, "ACME Profiles (draft-ietf-acme-profiles-00)," 2025. https://datatracker.ietf.org/doc/draft-ietf-acme-profiles/