One thing this can be useful for is encrypted client hello (ECH), the way TLS/HTTPS can be used without disclosing the server name to any listening devices (standard SNI names are transmitted in plaintext).

To use it, you need a valid certificate for the connection to the server which has a hostname that does get broadcast in readable form. For companies like Cloudflare, Azure, and Google, this isn't really an issue, because they can just use the name of their proxies.

For smaller sites, often not hosting more than one or two domains, there is hardly a non-distinct hostname available.

With IP certificates, the outer TLS connection can just use the IP address in its readable SNI field and encrypt the actual hostname for the real connection. You no longer need to be a third party proxying other people's content for ECH to have a useful effect.

The July announcement for IP address certs listed a handful of potential use cases: https://letsencrypt.org/2025/07/01/issuing-our-first-ip-addr...

No dependency on a registrar sounds nice. More anonymous.

> I am guessing the use case for ip address certs is so your ephemeral services can do TLS communication

There's also this little thing called DNS over TLS and DNS over HTTPS that you might have heard of ? ;)

Yeah actually seems pretty useful to not rely on the name server for something that isn't human facing.

Maybe you want TLS but getting a proper subdomain for your project requires talking to a bunch of people who move slowly?