Original: https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/
Announcement of Six-Day and IP Address Certificate Options for 2025#
January 16, 2025 • Josh Aas
This year, we will continue to fulfill our commitment to improving Web PKI security by introducing the option to obtain certificates with a validity period of six days (“short-term certificates”). In addition to domain names, we will also increase support for IP addresses. Our long-term certificates (currently valid for 90 days) will continue to be offered alongside the six-day certificates. Subscribers will be able to choose short-term certificates by adding to our ACME API's certificate profile mechanism.
Shortening Certificate Validity Period Enhances Security#
When a private key associated with a certificate is compromised, it is always recommended to revoke the certificate so that people know not to use it. Unfortunately, certificate revocation is not very effective. This means that certificates with compromised keys (or other issues) may continue to be used until they expire. The longer the validity period of a certificate, the greater the likelihood of using a problematic certificate.
The main advantage of short-term certificates is that they can significantly shorten the potential window for exploitation, as their expiration time is relatively short. This reduces the need for certificate revocation, which has historically been unreliable. Our six-day certificates will not include OCSP or CRL URLs. Additionally, short-term certificates will effectively require automation, and we believe that automated certificate issuance is crucial for security.
IP Address Support Ensures Security for Other Use Cases#
We will support including IP addresses as subject alternative names in our six-day certificates. This will allow establishing secure TLS connections with services provided via IP addresses using publicly trusted certificates, without the need for domain names.
IP address validation works similarly to domain name validation, but the validation is limited to http-01 and tls-alpn-01 challenge types. The dns-01 challenge type will not be available, as DNS is not involved in validating IP addresses. Additionally, there is no mechanism for checking the CAA records of the IP address.
Timeline#
We expect to issue the first valid short-term certificates to ourselves in February this year. Around April, we will enable short-term certificates for a small group of early adopters. We hope to fully roll out short-term certificates by the end of 2025.
The earliest short-term certificates we issue may not support IP addresses, but we intend to enable IP address support when short-term certificates become widely available.
How to Obtain Six-Day Certificates and IP Address Certificates#
Once short-term certificates become an option for you, you will need to use an ACME client that supports the ACME certificate profile and select the short-term certificate profile (the name will be released later).
Once IP address support becomes an option for you, requesting an IP address in the certificate will automatically select the short-term certificate profile.
Looking Ahead#
The best way to prepare for taking full advantage of short-term certificates is to ensure that your ACME client can reliably update certificates in an automated manner. If all goes well, then switching to short-term certificates should incur no cost.
If you have any questions or comments about our plans, please feel free to let us know on our community forum.
Supporting a more secure and privacy-respecting web.
Donate
Let's Encrypt is a free, automated, and open certificate authority provided by the nonprofit Internet Security Research Group (ISRG). Please read our 2024 Annual Report to learn about our nonprofit work this year.
548 Market St, PMB 77519, San Francisco, CA 94104-5401, USA
Please send all mail or inquiries to:
PO Box 18666, Minneapolis, MN 55418-0666, USA