Getting ready to issue IP address certificates

no but you can do something closely related:

- get a domain name (foo.com) and get certificates for *.foo.com

- run a DNS resolver that maps a.b.c.d.foo.com (or a-b-c-d.foo.com) to the corresponding private IP a.b.c.d

- install the foo.com certificate on that private IP's device

then you can connect to devices in your local network via IP by using https ://192-18-1-1.foo.com

Since you need to install the certificate in step 3 above, this works better with long-lived certificates, of course, but aotomation helps there

I considered doing that for a project once.

Then I realised that when my internet was down, 192-18-1-1.foo.com wouldn't resolve. And when my internet is down is exactly when I want to access my router's admin page.

I decided simply using unencrypted HTTP is a much better choice.

> Then I realised that when my internet was down, 192-18-1-1.foo.com wouldn't resolve.

Just add a local DNS entry on your local DNS server (likely your router).

I could start running my own DNS server, and start manually curating all the important entries in it, sure.

Or I could just use HTTP, or a self-signed certificate. If an attacker intercepts traffic on twenty feet of ethernet cable in my home's walls, I've probably got bigger problems than protecting my router admin password.

Cloudflare DNS (probably others as well) allows you to enter private IPs for subdomains, so you don't have to run your own DNS. There's no AXFR enabled, so no issues with privacy unless you have someone really determined to dictionary-attack your subdomains.

You don't even need to, mDNS has been enabled by default by most devices for ages now. You'll have to look up what the name is your manufacturer chose (if you use Windows, you van usually hit the network explorer tab and it'll be right in there, don't know about other OSes). It'll even work if IPv4 is broken (if you ran out of DHCP leases or whatever) because it almost always natively runs on IPv6 too.