Let’s Encrypt has made 6-day IP-based TLS certificates Generally

Let’s Encrypt, a key provider of free TLS certificates, has rolled out short-lived and IP address-based certificates for general use. These new options, which became available starting in early 2026, aim to address long-standing issues in certificate security.

Short-lived certificates last just 160 hours, about six and a half days, while IP-based ones tie directly to IP addresses instead of domain names. Users activate them by choosing the “short-lived” profile in their ACME client.

This move comes as organizations push for stronger TLS protections amid rising key compromises and supply chain attacks. Let’s Encrypt announced the general availability in a blog post, building on beta tests from late 2025.

Short-Lived Certificates Boost Security

Traditional TLS certificates last up to 90 days, creating wide windows for damage if private keys leak. Attackers can exploit stolen keys until revocation kicks in or the certificate expires.

But revocation systems, like CRLs and OCSP, often fail many clients ignore them due to latency or misconfiguration. Short-lived certificates cut this risk sharply.

By forcing renewal every six days, they demand fresh validation against the certificate authority (CA). This reduces reliance on flaky revocation. If a key compromises, the certificate dies fast, limiting exposure to hours, not weeks.

Let’s Encrypt emphasizes that this is an opt-in feature only. Automated setups renew effortlessly via ACME, but manual users may prefer to keep longer lifetimes for now.

The team plans to halve default lifetimes to 45 days over the next few years, as outlined in their December 2025 update. This gradual shift encourages automation without disruption. Early adopters report smooth operations, proving short-lived certs scale for production.

IP Address Certificates Fill a Key Gap

IP-based certificates let servers authenticate TLS over raw IP addresses, supporting both IPv4 and IPv6. Unlike domain certs, which use DNS validation, these bind to specific IPs via IP address validation methods. Let’s Encrypt mandates they be short-lived, recognizing IPs change often think dynamic cloud instances or mobile networks.

Use cases include legacy systems without domains, containerized apps on private nets, and quick TLS for test environments. Validation happens via ACME challenges proving control of the IP, often through direct connection. Let’s Encrypt issued its first IP cert in July 2025, validating the approach.

Security experts praise this for closing gaps in hybrid networks. Firewalls and load balancers can now secure IP-only traffic without workarounds like self-signed certs.

For threat hunters and SecOps, these certs mean tighter key rotation and less revocation chasing. Integrate them into CI/CD pipelines for zero-trust setups. Monitor via tools like Certificate Transparency logs to spot anomalies early.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.