June 18, 2015
SSLMate 1.3.0 was released today, featuring automatic generation of a variety of certificate formats, including PKCS#12 (aka PFX) and Java Keystore.
Traditionally, SSLMate created key and certificate files only in PEM format (specifically, the PEM encoding of the ASN.1 DER serialization of the private key or the X.509 certificate). This is the default file format of the OpenSSL command line tools and is accepted by the most common server applications on Unix platforms. This left other users, particularly of Java applications such as Tomcat, needing to perform manual conversions of certificate files using obscure commands - exactly the problem that SSLMate tries to solve.
So, SSLMate can now create the following types of files:
combined – a concatenation of the private key, certificate, and intermediate certificate chain, in PEM encoding. This is intended for programs like haproxy that require you specify the private key and certificate in the same file.
p12 – a PKCS#12 (also known as PFX) file containing the private key, certificate, and intermediate certificate chain. The password for the file is
jks – a Java Keystore file containing the private key, certificate, and intermediate certificate chain. The password for the file is
sslmate. (Note: the
keytoolprogram from the Java Runtime Environment must be installed to use this format.)
root – the root certificate, in PEM encoding.
chain+root – the intermediate certificate chain, including the root certificate, in PEM encoding. This is required by nginx for OCSP stapling.
To enable a particular format, put the following in your SSLMate config file,
replacing name with one of the bolded names from the above list (e.g.
Once a format is enabled, a file of that format will be created by any call to
sslmate renew, or
sslmate reissue. So you can configure your
application to directly use the files created by SSLMate, and when a renewed certificate is downloaded, your application
can automatically use the new certificate.
Now that SSLMate supports these formats, expect to see additional applications supported by
sslmate mkconfig in the near future.
SSLMate now preserves the filesystem permissions of key and certificate files when updating them. By default, files containing the private key have restrictive permissions (0600) and other files have world-readable permissions (0644). This is usually sufficient, since most server applications read the private key as root before dropping to a less privileged user. However, some applications read the private key after dropping to an unprivileged user, making the default 0600 permissions too restrictive. You can now set whatever filesystem permissions you like on your key files: user ownership, group ownership, traditional permissions, and (on Linux only) even filesystem ACLs, and SSLMate won't revert them back to their restrictive defaults.
Of course, you should make sure the permissions of private keys
are no more permissive than necessary. Linux filesystem ACLs
are useful for this. For example, if your application runs as user
you can set a read-only ACL for that user by running
setfacl -m user:appuser:r /etc/sslmate/example.com.key.
Getting SSLMate 1.3.0
If you've installed SSLMate through APT or Yum,
upgrading to 1.3.0 is as simple as running
apt-get update && apt-get upgrade or
yum update. If you're using Homebrew, an updated formula should be available
in the near future. Otherwise, head over to our install page or our
to download and install the new version.