https://community.letsencrypt.org/t/getting-ready-to-issue-ip-address-certificates/238777
Let's Encrypt Community Support
Getting ready to issue IP address certificates
Issuance Tech
JamesLE June 24, 2025, 10:47pm 1
We're almost ready to issue certificates for IP address SANs from
Let's Encrypt's production environment. They'll only be available
under the shortlived profile (which has a 6-day validity period), and
that profile will remain allowlist-only for a while.
Please note: We have more work to do before we're ready to launch
this feature for the public. We don't yet have a timeline, and aren't
ready to accept allowlist requests.
Here's a sample staging certificate, and a site using it:
* abadcafe.txt (3.0 KB)
* https://[2602:ff3a:1:abad:c0f:fee:abad:cafe]/
Please speak up if you see anything interesting, weird, or wrong!
I think I already found a bug in Firefox's display of IP address
SANs; BZ #1973855.
15 Likes
Osiris June 24, 2025, 11:16pm 2
# JamesLE:
https://[2602:ff3a:1:abad:c0f:fee:abad:cafe]/
Lol, also a bug in Discourse I guess? The URL is blue, but it's just
a <a>...</a> without the href= part et cetera.. So an anchor, yes,
but hyperlink? No..
Anyway, gotta get myself on that shortlived profile somehow
:stuck_out_tongue:
How can I make my browser NOT follow the 302 redirect? Whilst being
funny, the whole Starbucks thing, I cannot check the certificate in
the browser due to the redirect :slight_smile:
Also: is it allowed to have IP addresses as a dnsName in the SAN?
That's kinda weird, right? But in this case it's just a valid FQDN..
Interesting :stuck_out_tongue: And confusing! Valid hex only
character domain names should be forbidden :rofl:
3 Likes
griffin June 24, 2025, 11:31pm 3
It should be an IP SAN type. This would be IP.# in OpenSSL, not DNS.
#.
A related post:
[fa7] Checkmk Community - 13 Apr 23
[64e8994e2901143991a41ec12e5a8511c447ed6a_2_500x500]
SSL certificate with IP in the SAN
General
Hi, I issued an SSL certificate with and FQN, hostname and IP in the
Subject Alternative Name extension. It's working okay if I either use
the FQDN or the hostname in the browser to connect to the console,
but I get this meesage: Your...
Reading time: 2 mins Likes: 2
3 Likes
JamesLE June 24, 2025, 11:36pm 4
# Osiris:
Lol, also a bug in Discourse I guess? The URL is blue, but it's
just a <a>...</a> without the href= part et cetera.. So an
anchor, yes, but hyperlink? No..
Oof! That does look like a Discourse limitation.
# Osiris:
How can I make my browser NOT follow the 302 redirect? Whilst
being funny, the whole Starbucks thing, I cannot check the
certificate in the browser due to the redirect :slight_smile:
Good point, thanks! I've just replaced the redirect with a static
page.
# Osiris:
Also: is it allowed to have IP addresses as a dnsName in the SAN?
That's kinda weird, right? But in this case it's just a valid
FQDN.. Interesting :stuck_out_tongue: And confusing! Valid hex
only character domain names should be forbidden :rofl:
# griffin:
It should be an IP SAN type. This would be IP.# in OpenSSL, not
DNS.#.
That's the interesting and weird part I hoped people would notice.
:joy: This certificate has DNS SANs as well as an IP SAN. They are
similar, but look closely: one is definitely a DNS name and one is
definitely an IPv6 address.
When I was writing test cases, it occurred to me that someone could
potentially do this, so I went looking for TLDs that match [0-9a-f]
{,4}, found .cafe, and registered abad.cafe in order to cause this
confusion.
10 Likes
griffin June 24, 2025, 11:40pm 5
Is the underlying SAN specifically coded as IP type? I haven't dug
around in it. I noticed my guarding code in my overhaul of CertSage
recently, which is why this came to mind.
2 Likes
aarongable June 24, 2025, 11:41pm 6
It should be, and my own inspection confirms that it is, but that's
why we're asking other folks to take a look!
5 Likes
griffin June 24, 2025, 11:42pm 7
I shudder to think of the amount of hardcoded software that will soon
be tripping over this (not actually) new concept. :woozy_face:
3 Likes
griffin June 24, 2025, 11:48pm 8
Decoded
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2c:64:98:a5:1c:55:e9:6f:74:94:17:be:70:6c:1b:d1:62:a2
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=US, O=(STAGING) Let's Encrypt, CN=(STAGING) False Fennel E6
Validity
Not Before: Jun 24 21:17:50 2025 GMT
Not After : Jul 1 13:17:49 2025 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:b9:e5:b6:2c:6f:a8:0b:23:a3:9c:ba:6b:66:68:
3f:69:70:9b:b6:da:92:42:c5:68:e3:c1:8d:3f:e6:
d9:31:51:47:0d:45:eb:8f:7d:33:f5:9f:01:5e:5b:
7e:bc:57:47:31:c6:d6:7f:c3:79:a6:55:e8:09:b6:
0a:91:c6:3f:c2
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
A1:74:1A:06:6D:50:B7:86:2D:4A:2C:C1:7E:B4:8D:88:49:6C:CD:16
Authority Information Access:
CA Issuers - URI:
http://stg-e6.i.lencr.org/
X509v3 Subject Alternative Name: critical
DNS:2602.ff3a.0001.abad.0c0f.0fee.abad.cafe, DNS:2602.ff3a.1.abad.c0f.fee.abad.cafe, DNS:abad.cafe, DNS:www.abad.cafe, IP Address:2602:FF3A:1:ABAD:C0F:FEE:ABAD:CAFE
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:
http://stg-e6.c.lencr.org/35.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 16:E8:69:C1:D1:95:EA:D7:C3:F8:97:1A:E3:F0:76:01:
F7:8C:E1:B6:9D:31:A8:52:18:B6:83:7F:31:A8:15:08
Timestamp : Jun 24 22:16:20.508 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:57:02:0A:71:18:C1:A7:92:85:13:3B:52:
DC:13:80:02:85:89:6C:76:A6:6B:63:18:35:1B:98:BA:
62:3E:FD:47:02:21:00:CE:D1:76:F9:4A:4C:86:AA:8D:
30:15:D7:9E:71:1C:63:31:B0:8D:41:FC:05:E3:60:35:
99:66:52:76:9A:C1:B2
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87:
2A:C7:E8:8B:13:2C:63:50:B7:C6:FD:26:E1:6C:6C:77
Timestamp : Jun 24 22:16:20.473 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:16:62:74:68:60:C2:F8:BA:45:79:BA:6D:
45:1F:07:3C:A6:E4:76:D1:A3:97:D3:F1:8F:0F:60:D2:
8B:E0:C8:A2:02:21:00:CD:BC:E4:68:ED:B9:7C:3D:D0:
EC:E2:33:5E:5B:18:B3:1A:44:46:D1:22:FB:31:97:78:
21:B7:02:A7:39:7E:E7
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:66:02:31:00:a4:d9:fc:d7:a6:30:0f:ee:d0:34:84:17:78:
8b:f9:86:00:c0:16:c8:9a:3e:51:fa:e5:43:a1:8f:5c:4f:be:
59:25:74:fa:34:66:b5:63:80:6f:ed:27:77:5d:5f:e2:e8:02:
31:00:ec:6c:d0:a7:4d:1c:ec:5a:1c:8d:32:b3:b4:82:79:bc:
31:14:75:ca:67:a7:78:57:00:0d:8d:b5:01:8d:f3:30:0e:02:
f0:4d:02:6f:62:a9:82:5c:9b:00:1e:db:af:0f
---------------------------------------------------------------------
ASN.1
0 990: SEQUENCE {
4 867: SEQUENCE {
8 3: [0] {
10 1: INTEGER 2
: }
13 18: INTEGER 2C 64 98 A5 1C 55 E9 6F 74 94 17 BE 70 6C 1B D1 62 A2
33 10: SEQUENCE {
35 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3)
: }
45 83: SEQUENCE {
47 11: SET {
49 9: SEQUENCE {
51 3: OBJECT IDENTIFIER countryName (2 5 4 6)
56 2: PrintableString 'US'
: }
: }
60 32: SET {
62 30: SEQUENCE {
64 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
69 23: PrintableString '(STAGING) Let's Encrypt'
: }
: }
94 34: SET {
96 32: SEQUENCE {
98 3: OBJECT IDENTIFIER commonName (2 5 4 3)
103 25: PrintableString '(STAGING) False Fennel E6'
: }
: }
: }
130 30: SEQUENCE {
132 13: UTCTime 24/06/2025 21:17:50 GMT
147 13: UTCTime 01/07/2025 13:17:49 GMT
: }
162 0: SEQUENCE {}
164 89: SEQUENCE {
166 19: SEQUENCE {
168 7: OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
177 8: OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
: }
187 66: BIT STRING
: 04 B9 E5 B6 2C 6F A8 0B 23 A3 9C BA 6B 66 68 3F
: 69 70 9B B6 DA 92 42 C5 68 E3 C1 8D 3F E6 D9 31
: 51 47 0D 45 EB 8F 7D 33 F5 9F 01 5E 5B 7E BC 57
: 47 31 C6 D6 7F C3 79 A6 55 E8 09 B6 0A 91 C6 3F
: C2
: }
255 616: [3] {
259 612: SEQUENCE {
263 14: SEQUENCE {
265 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
270 1: BOOLEAN TRUE
273 4: OCTET STRING 03 02 07 80
: }
279 19: SEQUENCE {
281 3: OBJECT IDENTIFIER extKeyUsage (2 5 29 37)
286 12: OCTET STRING 30 0A 06 08 2B 06 01 05 05 07 03 01
: }
300 12: SEQUENCE {
302 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
307 1: BOOLEAN TRUE
310 2: OCTET STRING 30 00
: }
314 31: SEQUENCE {
316 3: OBJECT IDENTIFIER authorityKeyIdentifier (2 5 29 35)
321 24: OCTET STRING
: 30 16 80 14 A1 74 1A 06 6D 50 B7 86 2D 4A 2C C1
: 7E B4 8D 88 49 6C CD 16
: }
347 54: SEQUENCE {
349 8: OBJECT IDENTIFIER authorityInfoAccess (1 3 6 1 5 5 7 1 1)
359 42: OCTET STRING
: 30 28 30 26 06 08 2B 06 01 05 05 07 30 02 86 1A
: 68 74 74 70 3A 2F 2F 73 74 67 2D 65 36 2E 69 2E
: 6C 65 6E 63 72 2E 6F 72 67 2F
: }
403 133: SEQUENCE {
406 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
411 1: BOOLEAN TRUE
414 123: OCTET STRING
: 30 79 82 27 32 36 30 32 2E 66 66 33 61 2E 30 30
: 30 31 2E 61 62 61 64 2E 30 63 30 66 2E 30 66 65
: 65 2E 61 62 61 64 2E 63 61 66 65 82 22 32 36 30
: 32 2E 66 66 33 61 2E 31 2E 61 62 61 64 2E 63 30
: 66 2E 66 65 65 2E 61 62 61 64 2E 63 61 66 65 82
: 09 61 62 61 64 2E 63 61 66 65 82 0D 77 77 77 2E
: 61 62 61 64 2E 63 61 66 65 87 10 26 02 FF 3A 00
: 01 AB AD 0C 0F 0F EE AB AD CA FE
: }
539 19: SEQUENCE {
541 3: OBJECT IDENTIFIER certificatePolicies (2 5 29 32)
546 12: OCTET STRING 30 0A 30 08 06 06 67 81 0C 01 02 01
: }
560 49: SEQUENCE {
562 3: OBJECT IDENTIFIER cRLDistributionPoints (2 5 29 31)
567 42: OCTET STRING
: 30 28 30 26 A0 24 A0 22 86 20 68 74 74 70 3A 2F
: 2F 73 74 67 2D 65 36 2E 63 2E 6C 65 6E 63 72 2E
: 6F 72 67 2F 33 35 2E 63 72 6C
: }
611 260: SEQUENCE {
615 10: OBJECT IDENTIFIER
: googleSignedCertificateTimestamp (1 3 6 1 4 1 11129 2 4 2)
627 245: OCTET STRING
: 04 81 F2 00 F0 00 76 00 16 E8 69 C1 D1 95 EA D7
: C3 F8 97 1A E3 F0 76 01 F7 8C E1 B6 9D 31 A8 52
: 18 B6 83 7F 31 A8 15 08 00 00 01 97 A4 03 79 1C
: 00 00 04 03 00 47 30 45 02 20 57 02 0A 71 18 C1
: A7 92 85 13 3B 52 DC 13 80 02 85 89 6C 76 A6 6B
: 63 18 35 1B 98 BA 62 3E FD 47 02 21 00 CE D1 76
: F9 4A 4C 86 AA 8D 30 15 D7 9E 71 1C 63 31 B0 8D
: 41 FC 05 E3 60 35 99 66 52 76 9A C1 B2 00 76 00
: [ Another 117 bytes skipped ]
: }
: }
: }
: }
875 10: SEQUENCE {
877 8: OBJECT IDENTIFIER ecdsaWithSHA384 (1 2 840 10045 4 3 3)
: }
887 105: BIT STRING
: 30 66 02 31 00 A4 D9 FC D7 A6 30 0F EE D0 34 84
: 17 78 8B F9 86 00 C0 16 C8 9A 3E 51 FA E5 43 A1
: 8F 5C 4F BE 59 25 74 FA 34 66 B5 63 80 6F ED 27
: 77 5D 5F E2 E8 02 31 00 EC 6C D0 A7 4D 1C EC 5A
: 1C 8D 32 B3 B4 82 79 BC 31 14 75 CA 67 A7 78 57
: 00 0D 8D B5 01 8D F3 30 0E 02 F0 4D 02 6F 62 A9
: 82 5C 9B 00 1E DB AF 0F
: }
---------------------------------------------------------------------
[3fcc82c4e5c4e626045363] redkestrel.co.uk
CSR Decoder and SSL Certificate Decoder - Free Online Tool
Free online tool to decode and analyse SSL certificates, CSRs, CRLs,
and PKCS#7 files. Instantly view detailed certificate information,
extensions, and security checks.
4 Likes
Osiris June 24, 2025, 11:57pm 9
# JamesLE:
They are similar, but look closely: one is definitely a DNS name
and one is definitely an IPv6 address.
Dang, just saw the dots vs. colons after looking at it for 5 extra
minutes :rofl: Even though I already figured it was a valid FQDN, I
didn't notice that difference.
6 Likes
linkp June 25, 2025, 12:28am 10
# JamesLE:
abad.cafe
I want to get a coffee there. :hot_beverage:
6 Likes
griffin June 25, 2025, 12:40am 11
best
best257x196 7.77 KB
coffee
5 Likes
webprofusion June 25, 2025, 2:29am 12
Can the shortlived profile be enabled for all on staging yet? Hard to
give feedback without trying it out.
3 Likes
mcpherrinm June 25, 2025, 4:09am 13
We will enable it in staging pretty soon. Probably in the next few
weeks, once we are confident our implementation is at least close to
correct and complete.
There's a bunch of details around things like rate limits, scale, etc
which we need to resolve before going to production, but that's not
as relevant to staging, which sees a lot less traffic.
7 Likes
Bruce5051 June 25, 2025, 4:23am 14
Would it be correct to assume that the DNS-01 Challenge also cannot
be used for the issuance of an IP Address Certificate?
4 Likes
mcpherrinm June 25, 2025, 5:02am 15
Correct. HTTP and TLS-ALPN only
5 Likes
rmbolger June 25, 2025, 5:40am 16
It's been probably ~15 years since the last time I was messing with
(private) IP SAN certs on the regular. But at that time, it seemed
like you needed the IP as both an IP and DNS SAN value in the cert
for maximum browser compatiblity. Which is to say, some browsers
needed one and other browsers needed the other.
Not sure if there's a compat matrix around anywhere, but it's
probably worth testing a bunch of desktop and mobile browsers with
different combinations to see if there are any buggy implementations.
5 Likes
elijahlynn June 26, 2025, 12:11am 17
Nice!
I see it rendering when using an IPV6 enabled ISP (check here https:/
/test-ipv6.com/).
Brave Browser 2025-06-25 17.03.28
Brave Browser 2025-06-25 17.03.281884x1480 192 KB
Is there plans for the major browsers CA stores to adopt these certs?
Can anyone point me to further reading on adoption?
elijahlynn June 26, 2025, 12:12am 18
fwiw: If you arrive here trying to paste the link in a browser and do
not have IPV6, it will look like this:
This site can't be reached
https://[2602:ff3a:1:abad:c0f:fee:abad:cafe]/ is unreachable.
ERR_ADDRESS_UNREACHABLE
screenshot-20250626-00-11-34-UTC
screenshot-20250626-00-11-34-UTC1996x980 37.7 KB
JamesLE June 26, 2025, 12:15am 19
# elijahlynn:
Is there plans for the major browsers CA stores to adopt these
certs?
Once launched, these will be issued from Let's Encrypt's existing
chain of trust, and so they will be publicly trusted.
4 Likes
petercooperjr June 26, 2025, 12:31am 20
Is there anything public available on which IPs will be able to get
certs? I mean, obviously private/reserved ranges won't be available,
but how about all those "cloud" services that rent IPs by the hour
(or second)? Is it expected to be "normal" that someone could release
an IP back into a pool and yet still have a valid certificate for
almost-a-week, or will Let's Encrypt certificates only be available
for IPs that are slightly less ephemeral?
4 Likes
next page -
Related topics
Topic Replies Views Activity
Certificates for IP addresses 7 5497 September
Feature Requests 18, 2021
Does Let's Encrypt support IP June 9,
certificates? 16 399 2025
Feature Requests
Subject Alternative Name (SAN) : field September
type ipAddress (IP in a CSR) 24 23767 2, 2017
Issuance Policy
Le-blacklist-domain 5 1457 March 11,
Issuance Policy 2018
Is it possible to issue certificate September
for IP address? 13 10170 20, 2023
Issuance Tech
* Home
* Categories
* Guidelines
* Terms of Service
* Privacy Policy
Powered by Discourse, best viewed with JavaScript enabled
