Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot

Let's Encrypt and the Electronic Frontier Foundation have announced that Certbot now supports two capabilities that fundamentally change how TLS certificates can be used: six-day certificates with a 160-hour validity period, and certificates issued to IP addresses rather than domain names. Together, these features reflect a broader industry shift toward shorter-lived, more granular credentials.

Six-Day Certificates

Traditional TLS certificates are valid for 90 days (Let's Encrypt's default) or up to 398 days from commercial certificate authorities. Six-day certificates, enabled through the --preferred-profile shortlived flag in Certbot 4.0 and later, reduce the validity window to just 160 hours. The security benefit is straightforward: if a private key is compromised, the window during which an attacker can use it is measured in days rather than months.

Short-lived certificates also reduce dependence on certificate revocation, which has long been one of TLS's weakest links. Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) both have reliability and privacy issues that have led most browsers to implement "soft-fail" checking — meaning a revoked certificate may still be trusted if the revocation check fails. With six-day certificates, revocation becomes less critical because the certificate will expire on its own before most revocation mechanisms would take effect.

IP Address Certificates

Certbot 5.3 introduced the --ip-address flag, allowing certificates to be issued for IP addresses instead of (or in addition to) domain names. This serves use cases where services are accessed by IP — internal infrastructure, IoT devices, development environments, and services behind load balancers that don't have DNS entries.

IP address certificates from Let's Encrypt are mandatorily short-lived (160 hours) because IP addresses can change ownership more frequently than domain names. A certificate binding to an IP that has been reassigned to a different organization would be a security liability, so the short validity period limits this risk.

Automation Requirements

Six-day certificates require robust renewal automation — manual renewal every week is impractical. Certbot's built-in renewal mechanism handles this automatically, but organizations should verify that their renewal timers run frequently enough and that renewal failures trigger alerts. The EFF recommends running renewals at least twice daily when using short-lived certificates.

Certbot 5.4, the latest version, adds webroot support for IP address certificates, expanding compatibility with web servers that use file-based domain validation.