acme4jJun 25, 2025
cpu

IP address certificate subjects are coming to Let's Encrypt SOON™: https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/

The groundwork for this was started ~2020 so it's extremely cool to see it coming to fruition !

Getting ready to issue IP address certificates

Is there anything public available on which IPs will be able to get certs? I mean, obviously private/reserved ranges won't be available, but how about all those "cloud" services that rent IPs by the hour (or second)? Is it expected to be "normal" that someone could release an IP back into a pool and yet still have a valid certificate for almost-a-week, or will Let's Encrypt certificates only be available for IPs that are slightly less ephemeral?

Let's Encrypt Community Support
Jun 25, 2025 at 3:59pmWeb
Show threadKarl AuerbachJun 25, 2025
@cpu I am not familiar with that form of certificate. Is there an explainer somewhere?
Show threadcpuJun 28, 2025

@karlauerbach I'm not aware of a high-level explainer but it's just a certificate with a Subject Alternate Name (SAN) ext. value with type "iPAddress" instead of "dNSName".

The ACME bits are specified in https://www.rfc-editor.org/rfc/rfc8738 and the SAN bits are in https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.6

RFC 8738: Automated Certificate Management Environment (ACME) IP Identifier Validation Extension

This document specifies identifiers and challenges required to enable the Automated Certificate Management Environment (ACME) to issue certificates for IP addresses.

Show threadKarl AuerbachJun 28, 2025
@cpu Thanks for the pointers!