Let’s Encrypt Launches IP-Only Certificates: Secure Your IP Address Without a Domain
Let’s Encrypt has officially begun issuing certificates for IP addresses. The inaugural certificate of this kind was issued on July 1, 2025—nearly a decade after the service’s initial launch. Although the new feature was announced in January, it is now being gradually rolled out to all users.
Unlike traditional certificates, which are issued for domain names, the new certificates validate specific IP addresses—such as 54.215.62.21 (IPv4) or 2600:1f1c:446:4900::65 (IPv6). While the majority of internet services rely on domain-based authentication, there are specific scenarios in which IP certificates prove useful. These include securing infrastructure services like DNS over HTTPS, enabling safe remote access to personal devices, and safeguarding cloud-based connections between ephemeral servers.
Previously, this capability was offered only by a select few certificate authorities. Let’s Encrypt chose a more measured approach, waiting for broader support of short-lived certificates and new ACME protocol policies. Now, IP address certificates can be obtained using ACME clients that support draft ACME Profiles and have the shortlived profile enabled. These certificates are valid for just six days and must be validated through either the http-01 or tls-alpn-01 challenge methods.
Developers note that issuing IP-based certificates presents certain limitations. IP addresses—particularly for home users—tend to be dynamic, making it difficult to establish clear ownership. Furthermore, a single IP address may host multiple websites, meaning that direct connections may not function as intended.
Nonetheless, this feature could be particularly beneficial for hosting providers seeking to eliminate browser errors when users access services directly via IP, as well as for those who, for various reasons, opt not to use domain names. Let’s Encrypt emphasizes, however, that the majority of users will likely continue relying on domain-based certificates.
At present, IP certificate issuance is available only in the Staging environment. Full production deployment is scheduled for late 2025, at which point access will gradually expand beyond a limited group of early partners.
