Obtaining Short-Lived (6-Day) and IP Address TLS Certificates from Let's Encrypt

Indicators

• Need to reduce the TLS certificate revocation vulnerability window below the standard 90-day lifetime
• TLS services are exposed on IP addresses rather than domain names, requiring IP SAN certificates
• Current 90-day certificate lifetime is too long for organisational security or compliance requirements
• Private key compromise has occurred and faster mitigation than revocation provides is needed
• CRL or OCSP revocation is unreliable or ineffective in the target environment
• Requirement to authenticate TLS connections to transient IPv4 or IPv6 addresses

Likely causes

• Certificate private key exposure or compromise requiring rapid certificate cycling
• Reliance on certificate revocation (CRL/OCSP), which is historically unreliable and widely ignored by clients
• Long certificate lifetimes (90 days) leaving systems exposed for extended periods after a compromise event
• IP addresses being more transient than domain names, requiring more frequent ownership revalidation
• Lack of automated certificate renewal preventing adoption of shorter-lived certificate lifetimes

Diagnostic steps

1. Verify your ACME client supports certificate profile selection. Check that Certbot or your chosen ACME client is updated to a version that supports the 'shortlived' profile. Consult https://letsencrypt.org for the minimum required version.
2. Confirm your certificate renewal process is fully automated. Short-lived certificates (~160 hours) expire in ~6 days; renewal must run automatically every 4–5 days to avoid expiration-related outages.
3. If requesting an IP address certificate, confirm the target identifier is an IPv4 or IPv6 address (not a domain name). Note that IP address certificates MUST use the 'shortlived' profile — there is no standard-lifetime option for IP certificates.
4. Configure your ACME client to request the 'shortlived' certificate profile. For Certbot, refer to https://letsencrypt.org for the specific flag or configuration directive (e.g., a profile or preferred-chain option). Set this in your Certbot configuration file or renewal hook.
5. Request the certificate using your ACME client, targeting either the domain name or IP address as appropriate. After issuance, verify the certificate validity period is approximately 160 hours by running: openssl x509 -in cert.pem -noout -dates
6. Validate that the issued certificate contains the correct Subject Alternative Name (SAN) — either a DNS name or an IP address SAN — using: openssl x509 -in cert.pem -noout -text | grep -A2 'Subject Alternative Name'
7. Monitor automated renewal to confirm certificates are renewed well before the 160-hour expiration window. Configure alerting (e.g., via a monitoring platform or Certbot renewal hooks) to trigger if renewal fails or the certificate validity drops below a defined threshold.

Resolution path

• Update your ACME client (e.g., Certbot) to a version that supports the 'shortlived' certificate profile — check letsencrypt.org for the minimum supported version
• Fully automate your certificate renewal pipeline to handle ~6-day certificate lifetimes, scheduling renewal every 4–5 days
• Configure your ACME client to request the 'shortlived' profile when issuing certificates (mandatory for IP address certificates)
• For IP address certificates, ensure the target identifier is an IPv4 or IPv6 address and that the 'shortlived' profile is explicitly selected
• Issue the certificate and verify the validity period is approximately 160 hours: openssl x509 -in cert.pem -noout -dates
• Verify the SAN field contains the correct IP address or DNS name: openssl x509 -in cert.pem -noout -text | grep -A2 'Subject Alternative Name'
• Set up monitoring and alerting to detect renewal failures before certificate expiration causes a service outage
• Plan for the anticipated default certificate lifetime reduction by Let's Encrypt from 90 days toward 45 days over coming years, and begin migration to automation now

Prevention

• Fully automate certificate issuance and renewal to support short-lived certificate lifetimes without manual intervention
• Adopt short-lived certificates to minimise the post-compromise exposure window following a private key leak
• Do not rely solely on certificate revocation (CRL/OCSP) as the primary mitigation for compromised certificates — revocation is widely unreliable
• Monitor certificate expiration and renewal pipeline health continuously with alerting configured below a safe threshold
• Stay informed about Let's Encrypt default lifetime changes (current 90 days trending toward 45 days) and update automation accordingly
• Use IP address certificates with the short-lived profile to ensure frequent revalidation of transient or frequently reassigned IP addresses
• Test renewal automation in a staging environment against Let's Encrypt's staging ACME endpoint before deploying to production

Tools

• Certbot (ACME client with shortlived profile support — check letsencrypt.org for minimum version)
• OpenSSL — openssl x509 -in cert.pem -noout -dates (verify validity period)
• OpenSSL — openssl x509 -in cert.pem -noout -text (verify SAN entries)
• Any ACME RFC 8555-compatible client supporting certificate profile selection
• Let's Encrypt ACME API (profile parameter: 'shortlived')
• Certificate expiry monitoring tool (e.g., Nagios check_ssl_cert, Zabbix, Prometheus blackbox exporter)

References

• 6-day and IP Address Certificates are Generally Available — Let's Encrypt
• Certbot Documentation — Let's Encrypt
• Let's Encrypt IP Address Certificate Announcement