Let's Encrypt to provide free SSL certificates for IP addresses, available in staging now with general availability expected later in 2025. Learn what this means for your infrastructure.
Let's Encrypt, the not-for-profit organisation that provides free SSL certificates for websites, is working on a new feature: free SSL certificates for IP addresses. They should be generally available in Prod later in 2025, at the same time that short-lived certificates become generally available.
This is a significant development that will fill a long-standing gap in web security. According to Let's Encrypt, IP address certificates are now available in Let's Encrypt's Staging environment and will become generally available later this year.
Current Status: Testing Phase
Important: IP address certificates are not yet available for general use. Here's the current timeline:
- January 2025: Let's Encrypt announced the feature
- July 2025: First IP certificate issued in staging environment
- Now: Available in staging/testing environment only
- Late 2025: Expected general availability
According to Let's Encrypt's official announcement, "We hope to make short-lived certificates generally available by the end of 2025. The earliest short-lived certificates we issue may not support IP addresses, but we intend to enable IP address support by the time short-lived certificates reach general availability."
.png)
Why IP Address Certificates Matter
Currently, SSL certificates are mainly issued for domain names like example.com IE human friendly and readable names most internet users would type into an address bar. However, many other internet-based services such as
- cloud tools
- test servers
- IoT devices
- network equipment
only use IP addresses and can't get free, trusted SSL certificates.
This can often mean administrators resort to:
- self-signed certificates which are considered risky
- pay premium prices for commercial IP certificates
- go without encryption entirely
What are public IPv4 addresses? These are IP addresses directly accessible from the internet (like 203.0.113.1), as opposed to private addresses used within local networks (like 192.168.1.1).
What We Know About the Upcoming Feature
Based on Let's Encrypt's announcements, here's what to expect:
Key Features (When Available)
Public IPv4 addresses only:
- Certificates will be issued for public, internet-routable IP addresses
- Private or local IPs won't be supported
- IPv6 support timeline is unclear
Short validity periods:
- IP address certificates must be short-lived certs, valid for only about six days
- This is a policy requirement, not optional
- Much shorter than current 90-day domain certificates
Free of charge:
- Like all Let's Encrypt certificates, these will be free
Automation required:
- Manual renewal won't be practical with short validity periods
- ACME client automation will be essential
Limited challenge methods:
- Only HTTP-01 and TLS-ALPN-01 challenges are supported
- DNS-01 challenges are not available because DNS is not involved in validating IP addresses
Who Will Benefit When This Launches?
IP address certificates will be especially valuable for infrastructure services that operate without domain names. This includes internal tools, testing endpoints, and legacy services that were built before modern domain practices became standard. Development environments will particularly benefit, as they often need real SSL certificates but don't justify the overhead of domain management.
IoT devices represent another major use case. Smart cameras, industrial sensors, and monitoring equipment typically communicate via IP addresses rather than domain names. These devices, along with IoT gateways and edge computing systems, will gain significant security improvements from trusted certificates.
Cloud infrastructure will see substantial benefits, particularly for ephemeral resources like short-lived instances, containers, and auto-scaling groups. These temporary compute resources often need encryption but don't warrant the complexity of domain certificate management.
DNS-over-HTTPS servers and other infrastructure services will also benefit significantly. Secure DNS resolvers that require IP-based access, privacy-focused DNS services, and enterprise DNS infrastructure can all improve their security posture with IP certificates.
Finally, hosting providers can use IP certificates to secure their default pages - those Apache or Nginx welcome pages that appear when someone accesses a server directly by IP address, along with hosting control panels and server status pages.
Preparing for IP Certificates
While waiting for general availability, organisations can take several steps to prepare for IP certificates. Testing in Let's Encrypt's staging environment is the most important preparation step. This allows you to verify that your infrastructure can handle short-lived certificates and test your automated renewal processes before production deployment.
Upgrading your ACME client is equally critical. Not all clients currently support IP address certificates, so you'll need to ensure compatibility with both IP addresses and short renewal periods. Some organisations may need to consider switching to clients with better IP support.
Infrastructure planning should focus on identifying which services would benefit most from IP certificates. This requires ensuring you have static IP addresses where needed, as dynamic IPs won't work with this system. You'll also need to plan comprehensive monitoring and alerting systems specifically designed for short-lived certificates.
Perhaps most importantly, automation preparation is essential. With six-day validity periods, manual certificate management becomes impossible. Organisations need to design automated renewal workflows, set up monitoring for certificate expiration, and thoroughly test failure scenarios and recovery procedures.
Important Considerations
The static IP requirement represents one of the most significant limitations of IP certificates. Your IP addresses must remain stable throughout the certificate's lifetime, which means dynamic IPs won't work with this system. Organisations need to consider the additional cost of static IP addresses from their hosting providers, as these often come with premium pricing.
Validation methods are more restrictive than domain certificates. IP certificates only support HTTP-01 and TLS-ALPN-01 challenges, which means your services must be accessible on ports 80 or 443. The popular DNS-01 challenge method isn't available because DNS isn't involved in validating IP addresses.
Monitoring requirements become much more demanding with six-day certificates. Traditional monthly certificate monitoring won't suffice - you'll need daily certificate checks at minimum, with real-time alerting for renewal failures. This represents a significant operational change for most organisations.
ACME client compatibility remains a concern, as not all clients support IP certificates yet. Organisations should verify support before the feature launches and consider client updates or alternatives. Some clients may need significant updates to handle the shorter renewal cycles effectively.
Frequently Asked Questions
Q: When will IP certificates be available for everyone? A: Let's Encrypt hopes to make them generally available by the end of 2025, but no specific date has been confirmed.
Q: Can I use these for private IP addresses? A: No, certificates will only be issued for public IPv4 addresses that are routable on the internet.
Q: Will these work with existing ACME clients? A: Many Let's Encrypt client applications will need updates to support IP certificates. Check with your client's documentation.
Q: Are 6-day certificates confirmed for IP addresses? A: Yes, according to Let's Encrypt, IP address certificates must be short-lived certs, valid for only about six days. This is a policy requirement.
Q: Can I test this now? A: Yes, IP certificates are available in Let's Encrypt's staging environment for testing purposes.