Exciting Announcements from LetsEncrypt: Six-Day and IP Address Certificates Coming in 2025!

January 16, 2025 • By Josh Aas

In 2025, Let’s Encrypt is rolling out new features to enhance the security of the Web PKI. We are introducing certificates with six-day lifetimes (“short-lived certificates”) and adding support for IP addresses in addition to domain names. Our existing 90-day certificates will still be available alongside the new six-day option. Subscribers can opt-in to short-lived certificates via a new certificate profile mechanism in our ACME API.

Why Shorter Certificate Lifetimes Are Better for Security

When a certificate’s private key is compromised, the ideal solution is to revoke the certificate, but revocation doesn’t always work effectively. This can lead to the continued use of compromised certificates until they expire. Short-lived certificates significantly reduce this risk by expiring quickly, which minimizes the potential compromise window. As a result, the need for certificate revocation is decreased.

Our six-day certificates won’t include OCSP or CRL URLs and will require automation for issuance, which is crucial for maintaining security.

Introducing IP Address Support

Let’s Encrypt will now support IP addresses as Subject Alternative Names in our six-day certificates. This means you can secure services accessible via IP address with publicly trusted certificates, without needing a domain name. Validation for IP addresses will function similarly to domain name validation, using http-01 and tls-alpn-01 challenges. Note that the dns-01 challenge won’t be available, as DNS isn’t involved in IP address validation. Additionally, there’s no mechanism to check CAA records for IP addresses.

Timeline for Implementation

• February 2025: First valid short-lived certificates issued internally.
• April 2025: Early adoption of short-lived certificates for select subscribers.
• End of 2025: General availability of short-lived certificates.

Initially, short-lived certificates may not support IP addresses, but we aim to enable IP address support by the time these certificates become widely available.

How to Obtain Six-Day and IP Address Certificates

To opt for short-lived certificates, you’ll need an ACME client that supports ACME certificate profiles. The specific short-lived certificate profile will be announced later. For IP address certificates, simply request an IP address, and the appropriate short-lived certificate profile will be automatically selected.

Preparing for the Future

Ensure your ACME client is set to renew certificates automatically to seamlessly transition to short-lived certificates. If you have any questions or feedback about these changes, please join our community forums to share your thoughts.

Stay tuned for more updates and prepare to enhance your web security with Let’s Encrypt’s new offerings in 2025! 🚀