IP Address SSL Creation

Short-lived certs (7 days or something like that) would perhaps be a good idea for this issue, specifically for IP address certs. You'd probably want to keep those certs separate from the "regular" certs.

But this are probably things LE has or is also considering.

2 Likes

Besides short-lived tls certs, perhaps resident validation file is a easier way to reduce the impact.

for example, Let's encrypt issued a certificate for 1.1.1.1 and ask its owner to keep 80 port challenge file inside .well-known/pki-validation/, if challenge agent bot checks it's gone and gone for 24 hours, revoke the certificate.

If iPAddress' former owner lost the ownership, He can't validate the HTTP-01 for it anymore.

I don't know why Google can figure out a stupid way to ask AS owner to verify for iPAddress.

That's quite a hassle for the CA. And such long-lived validation files are not mandated in the BR.

3 Likes

That's still a very long time. I don't know what the right compromise is.

1 Like

When we do IP certs, they’ll probably be 7 day certs only. (Which is one of the blockers for doing IP certs, as we don’t have short lived certs yet.)

7 Likes

yes, it's quite a conundrum.

ZeroSSL can do free IP certificates with caveats:

  1. No IPv6 "yet" (last time I checked)

  2. Not available via their ACME platform, must use the website or their proprietary API

  3. There's a limit of 3 free 3-month certificates per ZeroSSL account so you have to create a new account every 6-9 months depending whether you renew your certificates at 2 months or run them down to the last day.

can be useful for secure DNS servers otherwise you can have a chicken-and-egg problem where the client can't do DNS lookups until it validates the certificate, but can't validate the certificate without doing DNS lookups. so they have to put the IP in the certificate.

1.1.1.1: crt.sh | 11691773333
8.8.8.8: crt.sh | 11982507101
9.9.9.9: crt.sh | 10070438204

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.