Let's Encrypt Launches General Availability of "IP Address Certificates" and "Short-lived (approx. 6 days/160 hours) Certificates"! What's Changing?

On January 15, 2026, major news regarding internet security broke. Let's Encrypt, the service that issues SSL certificates for free, has officially launched two new features.

Many people might be thinking, "Certificates? What are those?" or "IP addresses? I've heard of them, but..." In this article, we will explain the details of this news and why it is such a significant development in an easy-to-understand way.

What is an "SSL Certificate" anyway?

First, let's start with the basics.

When you visit a website, you might notice "https://" in the browser's address bar or a padlock icon. These are signs that "this site can communicate securely."

To achieve this secure communication, an "SSL certificate" (more accurately called a TLS certificate) is required.

Think of it as an ID card

An SSL certificate is like an "identification card" for a website.

For example, when you enter a company office, you might show an ID card to confirm, "Are you really an employee of this company?" (In reality, you might tap a key card more often than showing it). Similarly, a website uses an SSL certificate to prove, "I am the real example.com."

If this certificate didn't exist, malicious actors could lie and say, "This is a real bank site," and steal your passwords. That would be scary, wouldn't it?

What is Let's Encrypt?

Let's Encrypt is a service that issues SSL certificates for free.

In the past, obtaining an SSL certificate cost money—sometimes ranging from several thousand to tens of thousands of yen per year. Because of this, many personal blogs and small company sites were unable to support "https."

Thanks to the emergence of Let's Encrypt, anyone can now obtain an SSL certificate for free, and today, almost all sites on the internet support "https."

New Feature #1: ~6-Day "Short-Lived Certificates"

Now, let's get to the main topic of this news.

Conventional certificates were valid for 90 days

Until now, Let's Encrypt certificates were valid for 90 days from the date of issuance. Once 90 days passed, they would become invalid, so it was necessary to obtain a new certificate before then.

New certificates last only about 6 days

The newly introduced feature is a short-lived certificate with a validity period of 160 hours (just over 6 days). You might think, "Wait, isn't that too short? That sounds like a hassle..."

Actually, there is a huge benefit to this "shortness."

Why is shorter better?

Certificates involve important data called a "private key." This is like a password; if it is leaked to others, it can lead to serious trouble.

What happens if a private key is stolen by a malicious person?

• With a 90-day certificate: It could potentially be misused for up to 90 days.
• With a ~6-day (160-hour) certificate: It will become useless in about 6 days at the latest.

In short, the shorter the validity period of a certificate, the more you can minimize the damage in the event of an emergency.

The problem with "Revocation" mechanisms not working well

You might think, "But if it's stolen, can't we just 'revoke' the certificate?"

In fact, there is a mechanism called "revocation." It is a function to declare, "Please do not use this certificate anymore."

However, in reality, this revocation mechanism often does not work well. The main reasons are as follows:

• CRL (Certificate Revocation List) issues: This is a system for distributing a list of revoked certificates, but as the list grows, it takes time to download, and browsers may skip the check.
• OCSP "Soft-fail" issues: OCSP (Online Certificate Status Protocol) is a system to check if a certificate is valid in real-time, but many browsers will continue communication without an error if they cannot connect to the verification server (this is called a "soft-fail").
• Privacy concerns: Using OCSP allows the verification server to know which sites a user is visiting, so some browsers do not actively check it from a privacy protection perspective.

For these reasons, the reality is that certificate revocation checks are "unreliable."

That is why the method of making the validity period short from the beginning is effective. Since it automatically becomes unusable after 6 days, safety can be maintained without relying on revocation mechanisms.

New Feature #2: Certificates for IP Addresses

The other new feature is "Certificates for IP addresses."

The difference between Domain Names and IP Addresses

Websites have two types of "addresses": "Domain Names" and "IP Addresses."

• Domain Name: A human-readable name like www.example.com.
• IP Address: A computer's address represented by numbers, such as 192.168.1.1.

Usually, you see the domain name. But in reality, computers communicate with each other internally using IP addresses.

Previously, a domain name was required

Until now, Let's Encrypt could only issue certificates for domain names.

While you could create a certificate saying "www.example.com is a safe site," you couldn't create one saying "192.168.1.1 is a safe server."

Enabling secure communication using only an IP address

With this update, it is now possible to issue certificates for IP addresses.

This allows for secure encrypted communication using only an IP address, even if you don't have a domain name.

When is this useful?

IP address certificates can be used on servers with public IP addresses reachable from the internet. This is because when Let's Encrypt issues a certificate, it needs to connect to that IP address to verify that you control the server.

Note that HTTP-01 or TLS-ALPN-01 methods are used for IP address validation (DNS-01, which is available for domain names, cannot be used).

Specifically, it is useful in situations such as:

• Public servers where you don't want to set up a domain: Temporary verification VMs, services published for a short period, etc.
• Home servers (Home Labs): When you want to enable HTTPS for an environment accessed directly via a public IP.
• Devices exposed to the internet for a short time: Campaign sites for a limited time, test releases, etc.

It's a hassle to go through the trouble of preparing a domain name just for a quick test. Being able to get a certificate as long as you have a public IP address is very convenient for developers.

Note that this certificate cannot be used in closed internal networks with private IP addresses (such as 192.168.x.x or 10.x.x.x) because Let's Encrypt cannot perform the connection check.

IP address certificates are always short-lived

By the way, certificates for IP addresses are always issued as short-lived certificates of 160 hours (just over 6 days). This is because, unlike domain names, IP address assignments and users can change. Safety is ensured by performing more frequent checks to confirm control.

What are the benefits of this update?

Let's summarize the benefits of this update based on what we've covered so far.

Benefit 1: Even stronger security

By using 6-day short-lived certificates, damage can be minimized even if a private key is stolen. It simply solves the long-standing problem of "revocation not working well."

Benefit 2: Secure communication without a domain name

With IP address certificates, servers without domain names can now use officially recognized certificates. This makes development and testing much easier.

Benefit 3: Everything is free

These new features can be used completely free of charge, just like before. It is very appreciated to be able to use the latest security technology without spending money.

Benefit 4: More choices

The traditional 90-day certificates are still available. If you want to use short-lived certificates, you can obtain them by selecting the shortlived profile in the ACME protocol.

Note: Due to the short validity period of 160 hours, automatic renewal by an ACME client such as Certbot is a prerequisite for actual operation. An ACME client is a tool that automatically obtains and renews certificates from certificate authorities like Let's Encrypt (ACME stands for "Automatic Certificate Management Environment"). If you already have an environment with automatic renewal, switching to short-lived certificates should be smooth.

Also, to use short-lived or IP address certificates, your ACME client must support these new features. We recommend updating to the latest version before use.

Furthermore, Let's Encrypt has announced plans to shorten the default expiration date from 90 days to 45 days by 2028. It seems the trend is toward even shorter certificate validity periods to improve security.

Summary

We have explained the "6-day short-lived certificates" and "certificates for IP addresses" newly offered by Let's Encrypt.

Let's review the key points:

• An SSL certificate is like an "ID card" for a website.
• Let's Encrypt is a service that issues certificates for free.
• 6-day certificates have a short validity period, so damage can be minimized in an emergency.
• IP address certificates allow for secure communication even without a domain name.
• Both new features are available for free.

Efforts to make the internet safer are evolving every day. The next time you see a padlock icon in your browser, remember, "Ah, the certificate is doing its job."

Reference Links

• Announcing Six Day and IP Address Certificate Options in 2025 - Let's Encrypt
• 6-day and IP Address Certificates are Generally Available - Let's Encrypt
• We've Issued Our First IP Address Certificate - Let's Encrypt
• Decreasing Certificate Lifetimes to 45 Days - Let's Encrypt
• Let's Encrypt Launches IP Address Certificates With 6-Day Lifetimes - Linuxiac