Let’s Encrypt rolls out 6-day and IP-based certificates
Let’s Encrypt says its short-lived TLS certificates with a 6-day lifetime are now generally available. Each certificate is valid for 160 hours from the time it is issued.
To request one, operators must select the “shortlived” profile in their ACME client. The option is opt-in and works with clients that support the certificate profile feature. Let’s Encrypt said this type of certificate requires more frequent validation and reduces reliance on traditional revocation systems by shortening the period a compromised key remains valid.
“Short-lived certificates are opt-in and we have no plan to make them the default at this time. Subscribers that have fully automated their renewal process should be able to switch to short-lived certificates easily if they wish, but we understand that not everyone is in that position and generally comfortable with this significantly shorter lifetime,” explains Matthew McPherrin, Site Reliability Engineer Site Reliability Engineer at the Internet Security Research Group.
IP address certificates added to service
In the same update, Let’s Encrypt introduced TLS certificates that authenticate a service based on its IP address instead of a domain name. These certificates support both IPv4 and IPv6 and must use the short-lived profile.
Operators can use these certificates to secure HTTPS connections directly to an IP address. This expands the range of use cases where publicly trusted certificates can protect traffic without a domain name.
Let’s Encrypt is part of a broader shift
Six-day certificates are available from more than one provider. Let’s Encrypt is one option, and Google Trust Services also issues short-lived certificates. Google Trust Services supports custom validity periods, so a requester can specify the number of days in the ACME request. This allows certificates with lifetimes such as 6, 12, or 33 days, depending on operational needs.
“The great thing about this, and I’ve been using these certs for weeks now, is that once you’re using an ACME client, you’re already automated, and once you’re automated, the validity period really isn’t relevant any more. I’m currently sticking with the 6-day certs, and I will alternate between Let’s Encrypt and Google Trust Services, but running these automations more frequently to go from 90 days down to 6 days really doesn’t change anything at all, so give it a try,” writes Security Researcher Scott Helme.