Let’s Encrypt has officially rolled out two important updates to its TLS certificate system. The non-profit certificate authority has now made 6-day short-lived certificates and IP-based TLS certificates generally available. These features were teased and tested earlier, and they are now ready for public use in early 2026.
Let’s Encrypt is best known for offering free TLS certificates that help websites use HTTPS. Millions of websites rely on it every day. With this update, the focus is clearly on improving security and reducing long term risks.
What Are 6-Day TLS Certificates
Traditionally, TLS certificates are valid for up to 90 days. That sounds reasonable, but it also creates a problem. If a private key is stolen, an attacker can misuse that certificate for weeks before it expires or gets revoked.
The new short-lived certificates solve this by reducing the validity period to 160 hours, which is about six and a half days. After that, the certificate expires automatically and must be renewed. This means even if a key is compromised, the damage window is very small. Instead of weeks, the risk lasts only a few days. In many real-world cases, that can make a big difference.
Another advantage is reduced reliance on certificate revocation systems. Revocation does not always work as expected. Many browsers and clients ignore it due to performance or configuration issues. Short-lived certificates avoid this problem by expiring quickly on their own.
Who Should Use Short-Lived Certificates
These certificates are optional. Users need to enable them by selecting a special profile in their ACME client. For setups that already use automated renewals, this change is mostly seamless.
For people who still manage certificates manually, six days may feel too short. Let’s Encrypt is aware of this and is not forcing the switch. Longer lifetimes are still available for now.
That said, Let’s Encrypt has already shared plans to slowly reduce default certificate lifetimes to around 45 days in the future. The goal is to push the internet toward better automation and stronger security over time.
IP-Based TLS Certificates Explained
The second big change is support for IP-based TLS certificates. Until now, publicly trusted certificates mostly worked only with domain names. If your service ran directly on an IP address, you often had to use self-signed certificates or paid alternatives.
With this update, Let’s Encrypt can now issue certificates directly to IPv4 and IPv6 addresses. These certificates prove control over an IP address instead of a domain name.
Because IP addresses can change more often, Let’s Encrypt only issues IP-based certificates as short-lived ones. This reduces misuse and keeps things safer.
Where IP-Based Certificates Are Useful
IP-based certificates are useful in many real-world cases. These include internal services without domain names, cloud instances that are created and destroyed quickly, container-based setups, and test or staging environments.
They are also helpful for firewalls, load balancers, and other infrastructure tools that need encrypted traffic but do not rely on traditional DNS.
Security teams have welcomed this change because it removes the need for workarounds and improves encryption in places that were often ignored.
