Six day and IP address certificate options in 2025

Original Article ↗ Hacker News Discussion ↗

Short-lived certificates & revocation

  • Six‑day certs omit OCSP/CRL URLs; commenters note this is explicitly allowed for “short-lived” certs (≤10 days now, ≤7 days from 2026) under CA/Browser Forum rules.
  • Revocation is seen as largely ineffective in practice: many clients ignore it, and past incidents (e.g., Heartbleed, leaked keys in support dumps) showed revoked certs still being used without user warnings.
  • Shorter lifetimes are framed as a pragmatic way to reduce risk from undetected key compromise, though some see the threat model as narrow and benefits as modest.

Operational impact and automation

  • Many argue 90‑day (and shorter) lifetimes are meant to force proper automation; if certs break every few days in staging, bugs get fixed earlier.
  • Others report real friction: flaky automation, services that require restarts to load new certs, segmented networks, and offline/edge use cases.
  • Hobbyists and small setups sometimes find renewals the least reliable part of their stack, provoking frustration with “opinionated” lifetime choices.

Outage and rate‑limit concerns

  • Some fear a major Let’s Encrypt outage could break a large fraction of the web with 6‑day certs.
  • Counterpoints: week‑long outages are seen as unlikely; robust clients can fall back to other ACME CAs. Skeptics worry that mass fallback could overload those CAs.
  • With 5‑per‑7‑days limits for identical hostname sets, very aggressive renewal schedules (e.g., daily) may hit rate limits unless carefully managed.

IP address certificates & BGP/RPKI

  • Attack surface is debated: many note BGP hijack–based issuance attacks already exist for domain certs using HTTP/TLS challenges.
  • Proposed mitigations include multi‑vantage validation and tying issuance to IPs whose origin AS participates in RPKI; feasibility is unclear.
  • LE’s six‑day max for IP certs is justified as limiting abuse, especially in cloud environments with frequently recycled IPs.

Use cases and limitations of IP certs

  • Use cases mentioned: DoH/DDR resolvers, easy-to-remember diagnostic IPs, cloud demos where getting a domain is bureaucratically hard, and bootstrapping OAuth/tunnel tooling without a domain.
  • No public CA support for private RFC1918 IPs; suggestion is to use DNS names (possibly internal) or private CAs.

Certificate Transparency & ecosystem tooling

  • Short-lived certs will greatly increase CT log volume; CT monitors already face scalability issues but want full historical records.
  • Some ACME clients and servers (e.g., Caddy, CertMagic, others) are already adding support for ACME profiles and short‑lived cert workflows.