Microsoft, Google, Apple, Windows, Android, iOS, Internet, Cyber Security, Hacking, Malware, Smartphone, Mobile App

©2021 Reporters Post24. All Rights Reserved.

Trending

NETWORKINGINTERNET

Trusted SSL certificates for IP addresses will be readily available to everyone later this year, and here’s how they’ll work

By Reporters Post24 22

When you first start out building a home lab or self-hosting services, security is often a secondary thought as you’re not using your new tools outside your home network. But as you go on, you realize how unsafe the internet can be, and want to use SSL encryption for your apps, like any server on the modern web. Whether you’re building a reverse proxy for accessing your stack or being more adventurous with hosting an email server, you’ll need SSL to encrypt your data while in transit between the server and client.

While you can self-sign SSL certificates for home use and testing, or even run a DNS server to use local domain names, it’s less effort to purchase a domain name, switch it to Cloudflare or another large name server provider, make some DNS records to link that domain to your home IP, and get an SSL certificate from a certificate authority (CA) that enables HTTPS connections to your services.

Most CAs follow this established practice, but you can also issue certificates for an IP address instead of a domain name. The biggest CA, Let’s Encrypt, is starting to offer this, which is very, very exciting. Users have requested this since Let’s Encrypt began in 2015, but several recent technical changes have made it a viable option.

How SSL certificates keep the modern web safe

You’ll technically interact with them everyday without noticing

The dangers of the internet are still there, but it’s not the wild west of the early days, and a large part of that is down to HTTPS and the TLS/SSL handshake process. These certificates establish trust and identity for the service being used, via a third party, the Certificate Authority that issued the SSL certificate. It’s a bit like getting a notary public or other trusted figure to sign your passport application, except it happens every time you visit a secure website. Once the handshake goes down, the data gets sent securely in an encrypted manner, ensuring that nobody between the server and your browser can snoop on your private information.

Google tracks the percentage of HTTPS connections via Chrome users who opt to share statistics, and it looks like most internet users use encrypted connections. ChromeOS is at about 99%, as is Android. MacOS is 97%, Windows is 94%, and Linux users go to HTTPS pages 80% of the time. The lower engagement on Linux might be from home lab or development use, where you might not have SSL set up, or be testing without it to ensure functionality before integrating encrypted connections and pushing to production.

And for home lab users, certs are even more vital

OPNsense SSL certificates

When you’re using a company’s resources or platform, the expectation is that they’re in charge of keeping your data safe. In the home lab or self-hosting world, the responsibility is yours, and yours alone, as essentially you are the service provider. Having SSL certificates securing your domain (or IP addresses as is now available) lets you worry more about data while it’s at rest on your server, and not about if someone can read it while it’s in transit to the requesting browser.

Why IP address certs are important

This is a big deal, especially for homelab users

 

Every device attached to a network or the internet has an IP address associated with it. A device might have several, including IPv4 and IPv6, or it might have a shared IP address based on the external IP of your home network. Usually, the directory known as DNS takes in domain names like xda-developers.com, finds the associated IP addresses, and routes data, and does this all without the user seeing it in action, and that’s part of why SSL certificates are predominantly set up for domains.

But the internet’s nature is also changeable. Your ISP might change your external IP, or a website might migrate to another cloud hosting provider. With IP-based certification, leftover certificates would point to an IP address that’s not in use, which could enable bad actors to set up malware or phishing sites, among other issues. That’s why Let’s Encrypt decided to wait until short-lived certs were available, which rolled out earlier in 2025.

According to Let’s Encrypt, there are several use cases where an IP address cert makes more sense than a domain one:

  • To access your website without a domain name, while using HTTPS
  • Securing DNS-over-HTTPS (DoH) or other infrastructure services
  • For the default page on hosting providers, in case someone posts the IP address instead of the domain
  • Securing remote access to self-hosted services or devices
  • Securing ephemeral connections within cloud hosting infrastructure, like connections between server backends (like HAProxy or other load balancers)

Apart from the hosting provider, all of these are viable uses for IP certificates in the home lab environment. With IPv6 giving publicly accessible IP addresses to individual devices, you’ll be able to set up SSL for your NAS or server easily without going through the extra stages to get a domain name.

But there’s a gotcha

Okay, there are two gotchas, but one is that you’ll have to wait to use them. Let’s Encrypt has IP address-based certificates available in Staging, but they’ll be more widely available for production use later in 2025.

The other is that all IP-based certificates must be short-lived, lasting about six days. Your ACME client must support the draft ACME Profiles specification, and you ahve to configure it to pull the shortlived profile. The last point is that DNS challenges won’t be valid either; you must set up http-01 or tls-alpn-01 challenges instead. To be fair these are wise requirements, with a balance between usability and security considerations, and they won’t take long for anyone to implement.

Being able to get free SSL certificates for individual IP addresses is a huge step forward in ensuring the world’s internet traffic is encrypted by default. This will make home lab experiments, self-hosted services, and corporate environments safer and more secure, and I can’t wait to find out how the requesting process differs from domain-based certs, if it changes at all.
Reporters Post24 2030 posts 0 comments
You might also like More from author

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy