SSLMate 1.3.0 was released today, featuring automatic generation of a variety of certificate formats, including PKCS#12 (aka PFX) and Java Keystore.

Traditionally, SSLMate created key and certificate files only in PEM format (specifically, the PEM encoding of the ASN.1 DER serialization of the private key or the X.509 certificate). This is the default file format of the OpenSSL command line tools and is accepted by the most common server applications on Unix platforms. This left other users, particularly of Java applications such as Tomcat, needing to perform manual conversions of certificate files using obscure commands - exactly the problem that SSLMate tries to solve.

So, SSLMate can now create the following types of files:

• combined – a concatenation of the private key, certificate, and intermediate certificate chain, in PEM encoding. This is intended for programs like haproxy that require you specify the private key and certificate in the same file.

• p12 – a PKCS#12 (also known as PFX) file containing the private key, certificate, and intermediate certificate chain. The password for the file is sslmate.

• jks – a Java Keystore file containing the private key, certificate, and intermediate certificate chain. The password for the file is sslmate. (Note: the keytool program from the Java Runtime Environment must be installed to use this format.)

• root – the root certificate, in PEM encoding.

• chain+root – the intermediate certificate chain, including the root certificate, in PEM encoding. This is required by nginx for OCSP stapling.

To enable a particular format, put the following in your SSLMate config file, replacing name with one of the bolded names from the above list (e.g. combined):

cert_format.name yes

Once a format is enabled, a file of that format will be created by any call to sslmate download, sslmate buy, sslmate renew, or sslmate reissue. So you can configure your application to directly use the files created by SSLMate, and when a renewed certificate is downloaded, your application can automatically use the new certificate.

Now that SSLMate supports these formats, expect to see additional applications supported by sslmate mkconfig in the near future.

File Permissions

SSLMate now preserves the filesystem permissions of key and certificate files when updating them. By default, files containing the private key have restrictive permissions (0600) and other files have world-readable permissions (0644). This is usually sufficient, since most server applications read the private key as root before dropping to a less privileged user. However, some applications read the private key after dropping to an unprivileged user, making the default 0600 permissions too restrictive. You can now set whatever filesystem permissions you like on your key files: user ownership, group ownership, traditional permissions, and (on Linux only) even filesystem ACLs, and SSLMate won't revert them back to their restrictive defaults.

Of course, you should make sure the permissions of private keys are no more permissive than necessary. Linux filesystem ACLs are useful for this. For example, if your application runs as user appuser, you can set a read-only ACL for that user by running setfacl -m user:appuser:r /etc/sslmate/example.com.key.

Getting SSLMate 1.3.0

If you've installed SSLMate through APT or Yum, upgrading to 1.3.0 is as simple as running apt-get update && apt-get upgrade or yum update. If you're using Homebrew, an updated formula should be available in the near future. Otherwise, head over to our install page or our GitHub repository to download and install the new version.