As a CA, you may sign a certificate for anything. Public CAs don't do it for IPs for obvious reasons, but if you're cloudflare or Google, you can coax them with enough money and goodwill to sign a cert for your very expensive quad-single-digit ip, especially if you manage to motivate that request with the fact that the IP is a DNS resolver and can't be pointed at by a domain in the first place.
They're valid because the certificates include ipAddress Subject Alternative Names. PKIX (the RFC explaining how the X.500 system's X.509 certificates are to be repurposed for use on the Internet) explains several different names for Internet things, the "alternative names" and the most common you'll have seen is the dnsName, but ipAddress is also in there.
As to how and when they're issued, section 3.2.2.5 of the Baseline Requirements explains how an Applicant can prove this is their IP address and so they're entitled to a certificate for that address. Note that the CA is entitled to choose which if any of the methods listed in 3.2.2.5 they will use, and it's not uncommon for the answer to be "None of them".
> Note that the CA is entitled to choose which if any of the methods listed in 3.2.2.5 they will use, and it's not uncommon for the answer to be "None of them".
That's not what the baseline says:
> The CA SHALL confirm that prior to issuance, the CA has validated each IP Address listed in the Certificate using at least one of the methods specified in this section.
You are confusing 3.2.2.5.4 with "no verification". It's done, just that the baseline trust that you are not an idiot and have some basis to confirm the ip address belongs to someone. And even that particular section has a sunset clause:
> CAs SHALL NOT perform validations using this method after July 31, 2019. Completed validations using this method SHALL NOT be re‐used for certificate issuance after July 31, 2019. Any certificate issued prior to August 1, 2019 containing an IP Address that was validated using any method that was permitted under the prior version of this Section 3.2.2.5 MAY continue to be used without revalidation until such certificate naturally expires.
Ah, I thought about my choice of phrase "None of them" and I regretted it but was busy.
I meant that it's not uncommon to just not issue such certificates, rather than you don't verify but you issue anyway, you don't verify because you always refuse to issue.
As a CA, you may sign a certificate for anything. Public CAs don't do it for IPs for obvious reasons, but if you're cloudflare or Google, you can coax them with enough money and goodwill to sign a cert for your very expensive quad-single-digit ip, especially if you manage to motivate that request with the fact that the IP is a DNS resolver and can't be pointed at by a domain in the first place
