Let\u2019s Encrypt has made 6-day IP-based TLS certificates Generally Available
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Let\u2019s Encrypt, a key provider of free TLS certificates, has rolled out short-lived and IP address-based certificates for general use. These new options became available starting in early 2026, addressing long-standing issues in certificate security.<\/p>\n
Short-lived certificates last just 160 hours, about six and a half days, while IP-based ones tie directly to IP addresses instead of domain names. Users activate them by choosing the \u201cshort-lived\u201d profile in their ACME client.<\/p>\n
This move comes as organizations push for stronger TLS protections amid rising key compromises and supply chain attacks<\/a>. Let\u2019s Encrypt announced the general availability in a blog post, building on beta tests from late 2025.<\/p>\n Traditional TLS certificates last up to 90 days, creating wide windows for damage if private keys leak. Attackers can exploit stolen keys until revocation kicks in or the certificate expires.<\/p>\n But revocation systems, like CRLs and OCSP<\/a>, often fail many clients ignore them due to latency or misconfiguration. Short-lived certificates cut this risk sharply.<\/p>\n By forcing renewal every six days, they demand fresh validation against the certificate authority (CA). This reduces reliance on flaky revocation. If a key compromises, the certificate dies fast, limiting exposure to hours, not weeks.<\/p>\n Let\u2019s Encrypt emphasizes that this is an opt-in feature only. Automated setups renew effortlessly via ACME, but manual users may prefer to keep longer lifetimes for now.<\/p>\n The team plans to halve default lifetimes to 45 days over the next few years, as outlined in their December 2025 update<\/a>. This gradual shift encourages automation without disruption. Early adopters report smooth operations, proving short-lived certs scale for production.<\/p>\n IP-based certificates let servers authenticate TLS over raw IP addresses, supporting both IPv4 and IPv6. Unlike domain certs, which use DNS validation, these bind to specific IPs via IP address validation methods. Let\u2019s Encrypt mandates<\/a> they be short-lived, recognizing IPs change often think dynamic cloud instances or mobile networks.<\/p>\n Use cases include legacy systems without domains, containerized apps on private nets, and quick TLS for test environments. Validation happens via ACME challenges proving control of the IP, often through direct connection. Let\u2019s Encrypt issued its first IP cert in July 2025, validating the approach.<\/p>\n Security experts praise this for closing gaps in hybrid networks. Firewalls and load balancers can now secure IP-only traffic without workarounds like self-signed certs.<\/p>\n For threat hunters and SecOps, these certs mean tighter key rotation and less revocation chasing. Integrate them into CI\/CD pipelines <\/a>for zero-trust setups. Monitor via tools like Certificate Transparency logs to spot anomalies early.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Let\u2019s Encrypt has made 6-day IP-based TLS certificates Generally Available<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nShort-Lived Certificates Boost Security<\/strong><\/h2>\n
IP Address Certificates Fill a Key Gap<\/strong><\/h2>\n