Getting ready to issue IP address certificates

mcpherrinm · June 26, 2025, 12:36am

We have not made final determination on what IPs we may want to block as being high risk. But they will be generally available.

aral · June 26, 2025, 3:12pm

Happy to see the progress on this.

Thought you might be interested in seeing how important this feature is going to be for the Small Web:

It’s going to be invaluable for helping decentralise the web.

Thank you for the work you do

MikeMcQ · July 2, 2025, 11:29am

A post was split to a new topic: Cert using tls-alpn fails for shortlived IP address identifier

Sparrow · July 13, 2025, 10:18pm

Hey, thanks for the 6-day cert.

Are there any existing websites which allow for querying the full SSL Cert details apart from CRT.sh

My ISP only allows connection to IP4 but I did manage to retrieve some info. Just double-checking how accurate it is.

Issued On:
July 13, 2025 at 11:49:44 UTC

Expires On:
July 20, 2025 at 03:49:43 UTC

Common Name:
[2602:ff3a:1:abad:c0f:fee:abad:cafe]

Subject Alternative Names:
DNS:2602.ff3a.0001.abad.0c0f.0fee.abad.cafe
DNS:2602.ff3a.1.abad.c0f.fee.abad.cafe
DNS:abad.cafe
DNS:www.abad.cafe
IP Address:2602:FF3A:1:ABAD:C0F:FEE:ABAD:CAFE

Issuer:
Let's Encrypt

Serial Number:
063E185B8B39AE9E4D75CF42D0B55E8E8516

Signature Algorithm:
Unknown

Key Algorithm:
RSA 2048

webprofusion · July 14, 2025, 3:20am

From your profile it looks like you are implementing a CT log monitoring UI. Censys offer a paid API for that I believe, if you need something with some kind of SLA. Alternatively you would query the CT logs individually via your own system for domains of interest.

petercooperjr · July 14, 2025, 11:23am

There's a community wiki post here listing some systems that aggregate and search through CT logs:

It may be a bit out-of-date; feel free to update it if there's something that can be improved.

Sparrow · July 14, 2025, 8:39pm

Thanks Peter - that's a useful matrix. I'll certainly add if I have anything valuable to include.

Sparrow · July 14, 2025, 8:42pm

I did consider that for my app and reviewed some API integration but it was just too much fun building something bespoke. I might revisit depending on requirements.

xstasy · July 15, 2025, 3:11pm

Any update on progress towards implementing this on production?

JamesLE · July 15, 2025, 5:17pm

We don't yet have a timeline. We'll make an announcement as soon as any news is available.

elijahlynn · July 22, 2025, 3:51pm

Found the actual standard for this: RFC 8738 - Automated Certificate Management Environment (ACME) IP Identifier Validation Extension

Thanks to the small-web article above.

system · August 21, 2025, 3:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Questions regarding "Announcing Six Day and IP Address Certificate Options in 2025" Help	50	2085	March 12, 2025
When will Let's Encrypt's IP certificates be officially launched? Feature Requests	102	6417	December 24, 2025
Subject Alternative Name (SAN) : field type ipAddress (IP in a CSR) Issuance Policy	24	24746	September 2, 2017
Certificate for public IP without domain name Issuance Tech	85	248487	September 20, 2018
IP Address certs and anycast Issuance Tech	17	718	November 15, 2025

Getting ready to issue IP address certificates

Related topics