Let's Encrypt issues first IP certificate
Last week, the Let's Encrypt project issued the first certificate for an IP address.
(Image: wk1003mike/Shutterstock.com)
The Let's Encrypt project issued the first IP certificate last week. It first wants to gain experience with it before general availability follows later in the year.
Let's Encrypt announced this in an article. Only a few services have offered IP certificates so far; Let's Encrypt will even offer them free of charge. However, the project provides for a restriction on IP certificates.
Why IP certificates?
Normally, interested parties call up the domain name of a website to access it – which is much easier to remember than an IP address. Nevertheless, there are some application scenarios in which access to IP addresses is useful – and the technical and policy standards for certificates allow them to be issued for IP addresses. Let's Encrypt gives a few examples of where they see a sensible use of IP certificates. For example, for a standard page of hosting providers, if someone calls up the IP address of the server instead of the individual page name; this has so far led to an error message in the browser.
Videos by heise
If there is no domain name for a website, IP certificates are also useful. Another scenario is securing DNS via HTTPS (DoH) or other infrastructure services. This can also be used to secure remote access to devices at home, such as NAS servers or IoT devices, even without a domain name. Finally, it can be used to secure temporary connections within cloud hosting infrastructure.
As a restriction, Let's Encrypt specifies that only the newly introduced 6-day certificates may be used for IP certificates. These short-lived certificates are intended to limit possible misuse. However, this means that the Let's Encrypt client apps must be prepared for this. For example, they must support the draft ACME profile specification and be configured to request the "shortlived" profile. Of course, the DNS challenge method cannot be used to prove control over an IP address; this is only possible with the "http-01" and "tls-alpn-01" methods.
The IP certificates are currently available for testing in the "staging" environment. If the short-lived 6-day certificates become generally available, the IP certificates will follow at the same time. Let's Encrypt does not give an exact timetable, but refers to "later in 2025".
(dmk)
