An SSL certificate for an IP address secures any public, routable IPv4 or IPv6 address on the open internet, with the IP listed in the certificate’s SAN field so browsers will trust the connection. Public CAs issue these for servers and services reached by IP rather than by domain name. Pricing on the certificates below starts at $44.33/yr, with options for a single public IP or up to 250 IPs on one certificate.
What an SSL Certificate for an IP Address Does
An SSL certificate for an IP address is a publicly-trusted X.509 TLS certificate issued to a public IPv4 or IPv6 address rather than to a domain name. For browsers to trust the connection, the IP must appear in the Subject Alternative Name (SAN) field as an iPAddress entry: the X.509 field that CAs and browsers check during the TLS handshake. Cloudflare’s resolver at https://1.1.1.1 is a familiar example.
HTTPS over an IP works the same way as HTTPS over a domain. There is no protocol difference, no weaker handshake, no compromise on encryption strength. An IP certificate uses the same TLS 1.2 and TLS 1.3 protocols and the same encryption (AES-256 with 2048-bit or stronger RSA keys, or equivalent ECC) as a domain certificate at the same validation level.
Public vs Private IP Addresses: What’s Allowed
Only public IPs can be secured with a publicly-trusted SSL certificate. Since November 2015, the CA/Browser Forum Baseline Requirements have prohibited public CAs from issuing certificates for private IP ranges or internal-only hostnames. Examples include the 10.0.0.0/8 range, 172.16.0.0–172.31.255.255, 192.168.0.0/16, and naming conventions ending in .local, .internal, or .corp. None of these are globally unique, so a certificate issued for them could be impersonated on any other network using the same address.
For a private or internal IP, a self-signed certificate works for testing, and Sectigo Private PKI is the production-grade route: a private CA whose root you install on your own devices.
Common Use Cases for IP Address SSL Certificates
An IP certificate fits any setup where the service is reached by IP rather than DNS. Common cases include:
- Mail servers and SMTP/IMAP gateways that expose admin or relay endpoints by IP, where a domain doesn’t fit the routing model.
- IoT devices, NAS appliances, routers, and firewalls with public-facing admin interfaces: the device has an IP but no DNS record.
- Cloud back-end services and APIs exposed by IP for partner integrations or internal automation.
- Load balancers and reverse proxies running on dedicated IPs in front of multiple internal services.
- Legacy applications and older clients that don’t support Server Name Indication (SNI) and need an IP certificate to negotiate TLS at all.
How to Get an SSL Certificate for Your IP Address
For a single public IP, choose Comodo InstantSSL Pro or Sectigo InstantSSL Pro (Business Validation). For multiple IPs on one certificate (up to 250 SAN entries), choose the GoGetSSL Public IP SAN (Domain Validation).
For the GoGetSSL Public IP SAN, leave the Common Name blank and list the IPs in the SAN section. For InstantSSL Pro, enter the public IP address as the Common Name.
Verify control of the IP using HTTP file-based DCV: the CA gives you a small text file to host at a fixed path on the server reachable at that IP. It is the only validation method the CA/Browser Forum permits for IP certificates; email and DNS challenges are not allowed.
Install the issued certificate on your server and complete a test handshake.
IP Certificate Validity and the Move to Shorter Lifespans
Every publicly-trusted TLS certificate, IP certs included, falls under CA/Browser Forum Ballot SC-081v3, passed in April 2025 and rolling out on a phased schedule. Maximum validity drops to 200 days on March 15, 2026, then to 100 days on March 15, 2027, and to 47 days on March 15, 2029.
For IP cert buyers running a small number of certificates, the change means more frequent renewals; for large deployments, ACME automation starts to look less optional and more like baseline infrastructure.
Frequently Asked Questions
No. Only public, routable IPs are eligible. DV and BV are both available for IP certificates, but EV is not: the CA/Browser Forum does not permit Extended Validation for IPs at all.
Copy Link
Yes. The GoGetSSL Public IP SAN supports up to 250 SAN entries combining public IPs and fully-qualified domain names on a single certificate. For domain-only setups across many hostnames, see the Multi-Domain SAN certificate range.
Copy Link
No. Same TLS 1.2 and 1.3 protocols, same RSA and ECC key options, same warranty levels.
Copy Link
A public CA cannot issue for private IPs. Sectigo Private PKI is the production answer; self-signed certs are only suitable for non-trusted internal testing.
Copy Link
About 5 minutes for the GoGetSSL Public IP SAN (DV). Sectigo and Comodo InstantSSL Pro take 1–2 business days because Business Validation requires verification of company documents.
Copy Link
Don’t know what you need?
Use our SSL Wizard to select your options, and we’ll help you find the right SSL certificate.
Don’t know what you need?
Our Clients & Key Figures
Rated 4.8 out of 5 by 1226 customers
Great selection of certificates with a clear definition of properties for each certificate makes it easy to choose the right one.
Easier and cheaper than going directly and ordering via the vendor, thank you for the information and the simple shopping experience.
Excellent customer service when I ordered the wrong cert! The support team then helped me get the correct cert and refunded me on the incorrect cert I bought! Very fast and a happy customer.
