Skip to content

Introduction

This documentation applies to the Basic SSLMate service. If you are using SSLMate for SaaS, please see the APIv3 reference instead.

The SSLMate API is centered around REST principles. Requests are made to predictable, resource-oriented URLs using standard HTTP verbs and HTTP authentication. Request arguments are encoded as key/value pairs in standard HTTP form encoding (application/x-www-form-urlencoded), and are passed in either the query string (for GET requests) or in the request body (for POST requests). All responses, including errors, are JSON. Requests and responses use the UTF-8 character encoding.

SSLMate will only make backwards-compatible changes to this API endpoint (e.g. adding new requests, adding new attributes to responses, adding new optional arguments to requests). Backwards-incompatible changes will be avoided if at all possible, but should such a change become necessary, SSLMate will create a new API endpoint with a higher version number, and preserve the old API endpoint for at least 12 months following the introduction of the new endpoint.

You may want to consult the cookbook of common operations for guidance on how to purchase, renew, and reissue a certificate.

Feel free to get in touch if you have any questions or need help using the API. SSLMate is happy to help!

API Endpoint

https://sslmate.com/api/v2

Authentication

You authenticate to the SSLMate API by providing either your username and password, or your API key, which can be found on your account page. Your API key has almost complete access to your account, so you should keep it secret.

Authentication uses HTTP Basic Auth. When authenticating with your API key, provide the key as the basic auth username and leave the password empty.

Authenticating with your API key is equivalent to authenticating with your username and password.

Example Request

curl https://sslmate.com/api/v2/certs/example.com \ -u 123_sampleapikey:

Sandbox

To facilitate testing, SSLMate operates a sandbox website at https://sandbox.sslmate.com, with its own API endpoint (shown to the right). Purchases made on the sandbox website are free and certificates are signed by an untrusted testing certificate authority.

The sandbox website uses its own user account database, so you must sign up for a separate account on the sandbox site. Your sandbox API credentials are available on your account page on the sandbox site.

Sandbox API Endpoint

https://sandbox.sslmate.com/api/v2

Errors

SSLMate uses standard HTTP response codes to indicate the success or failure of an API request. Codes in the 2xx range indicate success, codes in the 4xx range indicate an error with the request, and codes in the 5xx range indicate an error with SSLMate's servers.

The following JSON object is returned by the server for any unsuccessful request:

Attributes
reason string A short machine-readable code that describes the error. The code for a particular error is guaranteed not to change.
message string A human-readable message. The value of this attribute is only suitable for human consumption; the exact wording of messages may change without notice. For a machine-readable code, use the reason attribute.
param string The name of the request parameter that was invalid. Only present if the error is parameter-specific.
retry_after integer Number of seconds after which to retry the request. If this attribute is present, the client should only retry the request after this many seconds have elapsed.

Example Error

{ "reason": "bad_bitsize", "message": "RSA keys must be 2048, 3072, or 4096 bits", "param": "csr" }

Expanding objects

Some objects contain attributes marked "expandable." These attributes are not included in responses by default, but can be included by passing the name of the attribute in the expand parameter to the query string of the request.

The expand parameter is available for all API requests, and applies to the response to that request only. You can expand attributes of nested objects using the dot character. For example, expanding current.crt on a certificate object will expand the current attribute into a full certificate instance, and then expand the crt attribute of that certificate instance into a full certificate string.

You can expand multiple attributes by specifying the expand parameter multiple times. Note that the expand parameter is always passed in the query string, even for POST requests.

Example Request

curl https://sslmate.com/api/v2/certs/example.com?expand=current.crt \ -u 123_sampleapikey:

Certificates and Certificate Instances

The SSLMate API is centered around two types of objects: certificates and certificate instances.

Certificate objects specify the desired properties (e.g. CSR, approval method) for a particular host's certificate. Certificate instances represent a specific instantiation of a certificate and are created when a certificate is bought or reissued. There is a one-to-many relationship between certificates and certificate instances. For example, the certificate for www.example.com might contain three instances: one instance that was created when the cert was bought on March 10, 2014, a second instance that was created when the cert was reissued on April 8, 2014, and a third instance that was created when the cert was bought again (for renewal) on March 10, 2015.

Certificate instances are created when you buy or reissue a certificate object. The new certificate instance will use the details (CSR, approval method, etc.) of the certificate object at the time of the purchase/reissue. To purchase a brand-new certificate, you would first create a certificate object with the desired CSR and approval details, and then buy the certificate. The signed X509 certificate will be stored in the newly-created certificate instance (once approved).

Certificate instances are immutable. To reissue a certificate with a new key, you would not modify a particular instance, but rather update the CSR of the certificate object, and then reissue that certificate object, creating a new certificate instance corresponding to the new CSR/key. Changing the attributes of a certificate object does not affect any existing instances.

Certificates

The certificate object

Attributes
exists boolean Whether a certificate with this common name exists in your account. Read-only
cn string The common name. Read-only
wildcard boolean Read-only
dn object JSON object describing the distinguished name (DN) of this certificate, to be used when generating a CSR. Each element of the hash corresponds to different attribute of the DN. Read-only
auto_renew boolean If true, the certificate will be automatically renewed prior to expiration. Note: automatic renewal requires you to use HTTP or DNS approval, and to integrate your HTTP server or DNS provider with SSLMate, as described in the approval documentation.
muted boolean If true, expiration reminders are not sent.
approval_method string or null How domain control is verified: "email", "http", or "dns". null if and only if exists is false.
approver_email string The email address to which domain validation emails should be sent. This attribute is present if and only if approval_method is "email".
http_approval object This attribute is deprecated. To approve a certificate using HTTP, please set up an HTTP approval integration with your web server.
dns_approval object An approval object with DNS options describing how to approve this certificate over DNS. This attribute is present if and only if approval_method is "dns".
type string or null The type of the certificate: "dv" or "ev". Changing this attribute only affects future renewals and purchases. The current active instance does not change type. null if and only if exists is false.
sans array or null

An array of SAN (subject alternative name) objects representing the additional subject alternative names of this certificate. If null, SSLMate uses default SANs.

Only the additional SANs are present in this array; since SSLMate always adds a SAN for the common name it is not included here.

When creating or updating a certificate, the sans parameter should be specified as a string containing the JSON serialization of the array, or the string "null".

tags array

An array of strings representing user-defined tags for this certificate object.

When creating or updating a certificate, the tags parameter should be specified as a string containing the JSON serialization of the array.

csr string PEM-encoded CSR in PKCS#10 format. Guaranteed to have a trailing newline character. Only present if expanded. Expandable
pubkey_hash string or null The SHA-256 hash of the CSR's DER-encoded public key, encoded in lowercase hex. null if and only if exists is false. Read-only
current_download string or null A public URL from which you can download the current certificate instance, plus chain, as a sequence of PEM-encoded X.509 certificates. The URL stays the same even as the current certificate instance changes and does not require authentication. If the certificate doesn't have a current certificate instance, the URL returns an empty response with HTTP code 202. null if and only if exists is false. Read-only
current object The current active certificate instance for this certificate, if one exists. Only present if expanded. Expandable
pending object The current pending certificate instance for this certificate, if one exists. Only present if expanded. Expandable

Example certificate

{ "exists": true, "cn": "www.example.com", "wildcard": false, "dn": { "C": "US", "ST": "CA", "L": "Berkeley", "O": "SSLMate", "CN": "www.example.com" }, "auto_renew": true, "muted": false, "approval_method": "email", "approver_email": "webmaster@example.com", "type": "dv", "sans": null, "tags": ["alice", "bob"], "pubkey_hash": "70e7aa036fb4dc2c8d8f...98ce6cae7048f2f54d48", "current_download": "https://certs.sslmate.com/..." }

Create/update a certificate

Given a common name, create or update the certificate object for that common name.

If a certificate with this common name already exists in your account, then all arguments are optional in the request. Only the certificate attributes specified in the request are updated; all others keep their current values.

If no certificate with this common name exists in your account, one will be created, in which case all the arguments marked "required for new certs" must be specified.

Arguments
csr PEM-encoded CSR in PKCS#10 format. Required for new certs. See the Generating CSRs section for more information about CSRs.
approval_method "email", "http", or "dns". Required for new certs.
approver_email Email address for email approval. Required for new certs if approval_method is "email".
type Type of certificate. Defaults to "dv" for new certs.
sans

Either the string "null" or a string containing a JSON array of SAN (subject alternative name) objects representing the additional subject alternative names of this certificate. Defaults to "null" for new certs, which means the default SANs will be used.

After changing the SANs of an existing certificate object, you must reissue the certificate to issue a certificate with the updated SANs.

Do not include a SAN for the common name in this array. SSLMate always adds a SAN for the common name so it doesn't need to be included here.

auto_renew If true, the certificate will be automatically renewed prior to expiration.
muted If true, expiration reminders are not sent.
tags A string containing a JSON array of strings representing user-defined tags for this certificate object.
tags.TAGNAME Add (by specifying a value of 1) or remove (by specifying a value of 0) the user-defined tag named TAGNAME.
Returns

Returns a certificate object if the request was valid, and returns an error otherwise.

Definition

POST https://sslmate.com/api/v2/certs/COMMON_NAME

Example Request

curl https://sslmate.com/api/v2/certs/example.com \ -u 123_sampleapikey: \ --data-urlencode csr=$'-----BEGIN CERTIFICATE REQUEST-----...' \ -d approval_method=email \ -d approver_email=webmaster@example.com \ -d tags.tagtoadd=1 \ -d tags.tagtoremove=0

Example Response

See certificate object.

Buy a certificate

Purchase and issue a certificate instance for the certificate object with the given common name. A new certificate instance will be created using the type, approval_method, approver_email, and csr of the certificate object. Therefore, you must have already created or updated the certificate object with the desired parameters. Your account will be charged for the purchase, and the expiration date of the new certificate instance will be one year from today's date.

Arguments
invoice_note A custom note to be included with the invoice for this purchase.
email_invoice_to Email address to which a copy of the invoice should be sent.
Returns

Returns the newly-created certificate instance object if the purchase succeeds, and returns an error otherwise.

The certificate instance will be in the pending state until it is approved. You should poll for the certificate instance until it becomes active, as described under Retrieve a certificate instance.

Definition

POST https://sslmate.com/api/v2/certs/COMMON_NAME/buy

Example Request

curl https://sslmate.com/api/v2/certs/example.com/buy \ -u 123_sampleapikey: \ -X POST

Example Response

See certificate instance object.

Reissue a certificate

Reissue a certificate instance for the certificate object with the given common name. A new certificate instance will be created using the type, approval_method, approver_email, csr, and sans of the certificate object. The new certificate instance will have the same expiration date as the certificate's current active instance. An active, non-expired certificate instance must exist for this certificate.

There are two scenarios when you would want to reissue a certificate:

  • You need to rekey because a key has been lost or compromised. To rekey, you should first update the certificate object with a new CSR for the new key, and then make a reissue request. There is no charge for the rekey.
  • You need to add or remove SANs. You should first update the certificate object with a new sans array, and then make a reissue request. You will be charged for any net increase in SANs.
Returns

Returns the newly-created certificate instance object if the reissue succeeds, and returns an error otherwise.

The certificate instance will be in a pending state until it is approved. You should poll for the certificate instance until it becomes active, as described under Retrieve a certificate instance.

Definition

POST https://sslmate.com/api/v2/certs/COMMON_NAME/reissue

Example Request

curl https://sslmate.com/api/v2/certs/example.com/reissue \ -u 123_sampleapikey: \ -X POST

Example Response

See certificate instance object.

Redo certificate approval

Redo certificate approval for the given certificate's pending instance, using the approval settings from the certificate object. If using email approval, the email will be (re-)sent. If using HTTP approval, the file will be (re-)fetched. If using DNS approval, the DNS record will be (re-)checked.

This request can be used if you have changed a certificate's approval details while an instance was pending and you would like to use the new details to approve the pending instance, or if the first attempt at approval failed and you need to try again.

The certificate must have a pending instance for this request to succeed.

Returns

Returns the certificate's pending certificate instance object if the action succeeds, and returns an error otherwise.

Definition

POST https://sslmate.com/api/v2/certs/COMMON_NAME/redo_approval

Example Request

curl https://sslmate.com/api/v2/certs/example.com/redo_approval \ -u 123_sampleapikey: \ -X POST

Example Response

See certificate instance object.

Revoke a certificate

Revoke one or more certificate instances for the certificate object with the given common name. By default, all certificate instances except for the active one are revoked. If the all argument is true, even the active instance is revoked. See the general documentation on revoking for more information.

Arguments
all If "true", all certificate instances are revoked, even the active instance. See the documentation on revoking for a warning about revoking all instances.
Returns

Returns the following object if the revoke succeeded, and returns an error otherwise.

Attributes
status string "pending" if the revocation is pending, or "revoked" if the revocation has completed.
num_revoked integer The number of instances that have been revoked.
num_active integer The number of instances that are still active.
num_imported integer The number of instances that could not be revoked because they were imported.

Definition

POST https://sslmate.com/api/v2/certs/COMMON_NAME/revoke

Example Request

curl https://sslmate.com/api/v2/certs/example.com/revoke \ -u 123_sampleapikey: \ -X POST

Example Response

{ "status": "pending", "num_revoked": 3, "num_active": 1, "num_imported": 0, }

Test a certificate

Test the installation of the given certificate by conducting a TLS handshake with one or more hosts (by default, the common name of the certificate is used as the hostname) and checking that the active certificate instance is served correctly.

Arguments
hostname The hostname or IP address to test. Argument be specified more than once to test multiple hosts. Defaults to all valid hostnames of the certificate (common name plus subjectAltNames).
port The port number to test. Defaults to 443 (HTTPS).
Returns

Returns the following object if you have an active certificate in your account with this common name, and returns an error otherwise.

Attributes
result array An array of test result objects, one per host tested. If a hostname resolves to multiple IPv4 or IPv6 addresses, they will all be tested and returned in separate test results.
The test result object
Attributes
hostname string The hostname to which this result applies.
ip_address string The IPv4 or IPv6 address to which this result applies.
status string One of: "conclusive" (the test produced a conclusive result), "connect_error" (could not connect to this host), "handshake_error" (TLS handshake failed), or "internal_error".
correct bool True if and only if the correct certificate was served. This attribute is present if and only if status is "conclusive".
chained bool True if and only if the correct certificate chain was served. This attribute is present if and only if status is "conclusive".
dummy bool True if and only if the the certificate was a temporary certificate. This attribute is present if and only if status is "conclusive".
error string A human-readable error message. This attribute is present if and only if status is not "conclusive".

Definition

GET https://sslmate.com/api/v2/certs/COMMON_NAME/test

Example Request

curl https://sslmate.com/api/v2/certs/example.com/test \ -u 123_sampleapikey:

Example Response

{ "result": [ { "hostname": "example.com", "ip_address": "198.51.100.125", "status": "conclusive", "correct": true, "chained": true, "dummy": false }, { "hostname": "example.com", "ip_address": "2001:db8:c40:8a::1", "status": "conclusive", "correct": true, "chained": true, "dummy": false } ] }

Retrieve a certificate

Given a common name, return the certificate object for that common name. If no certificate with this common name exists in your account, the exists attribute in the returned object will be false.

Returns

Returns a certificate object if a valid common name was provided, and returns an error otherwise.

Definition

GET https://sslmate.com/api/v2/certs/COMMON_NAME

Example Request

curl https://sslmate.com/api/v2/certs/example.com \ -u 123_sampleapikey:

Example Response

See certificate object.

Certificate instances

The certificate instance object

Attributes
id integer Unique ID. Read-only
state string pending, active, expired, revoked, or canceled. Read-only
expiring boolean This certificate is active but expiring imminently. Read-only
source string Either "sslmate" (purchased from SSLMate) or "import" (imported to SSLMate). Read-only
type string or null The type of this certificate (e.g. "dv"). May be null only if this certificate is imported. Read-only
sans array or null An array of SAN (subject alternative name) objects representing the subject alternative names of this certificate instance. Null if the certificate instance uses the default SANs.
pubkey_hash string The SHA-256 hash of this certificate's DER-encoded public key, encoded in lowercase hex. Read-only
sha1_fingerprint string or null The SHA-1 hash (in lowercase hex) of the DER-encoded certificate. Read-only
sha256_fingerprint string or null The SHA-256 hash (in lowercase hex) of the DER-encoded certificate. Read-only
expiration timestamp or null The expiration time of this certificate, as a UNIX timestamp (number of seconds since January 1, 1970). Read-only
csr string PEM-encoded CSR in PKCS#10 format. Guaranteed to have a trailing newline character. Only present if expanded. Expandable Read-only
crt string PEM-encoded X509 certificate. Guaranteed to have a trailing newline character. Only present if expanded. Expandable Read-only
chain array An array of zero or more PEM-encoded X509 certificates that form the intermediate certificate chain for this certificate. The first certificate in the chain issued this certificate, and the last certificate in the chain was issued by a root certificate. The root certificate itself is not included. Each certificate is terminated with a newline character. Only present if expanded. Expandable Read-only
root string The PEM-encoded X509 root certificate (the issuer of the last certificate in the chain, or of this certificate if the chain is empty). Guaranteed to have a trailing newline character. Only present if expanded. Expandable Read-only
invoice_id string or null Invoice ID for the purchase of this certificate. Null if no invoice was issued for the certificate, which can happen if the cert was free or imported. Read-only
approval_method string or null How domain control was verified. Null for imported certs. Read-only
approver_email string The email address used to approve the certificate. Applicable if and only if approval_method is "email". Read-only
approval_email_from string The email address from which the approval email was sent. Applicable if and only if approval_method is "email". Read-only

Example certificate instance

{ "id": 331, "state": "active", "expiring": false, "source": "sslmate", "type": "dv", "pubkey_hash": "70e7aa036fb4dc2c8d8f...98ce6cae7048f2f54d48", "sha1_fingerprint": "75d46dc4e46045617b65897b6870042565d95512", "sha256_fingerprint": "923ed7d285fbf9086ced...d02b16fd4bade8266d70", "expiration": 1427442542, "invoice_id": 1001, "approval_method": "email", "approver_email": "webmaster@example.com", "approval_email_from": "sslorders@geotrust.com" }

Retrieve a certificate instance

Retrieve a certificate instance object for the certificate object with the given common name. Instances can be retrieved either by their unique instance ID, or by the value of their pubkey_hash attribute. If a certificate has more than one instance with the requested pubkey_hash, then the most recent active instance is returned.

Arguments
poll If this argument is specified, and the certificate instance is pending, the server will wait until the certificate instance is no longer pending before returning a result. The server will wait at most the number of seconds specified by the poll argument, but may return sooner even if the certificate instance is still pending. The client should be prepared to retry the request.
Returns

Returns a certificate instance object if the requested certificate instance exists, and returns an error otherwise. If the poll argument was specified, and the certificate instance is still pending, a 412 Precondition Failed error is returned. The error object's retry_after attribute will be set, and the client must not retry the request until after this many seconds have elapsed.

Definition

GET https://sslmate.com/api/v2/certs/COMMON_NAME/instances/INSTANCE_ID
GET https://sslmate.com/api/v2/certs/COMMON_NAME/instances/pubkey_hash:HASH

Example Request

curl https://sslmate.com/api/v2/certs/example.com/instances/512 \ -u 123_sampleapikey:

Example Response

See certificate instance object.

DNS Approval Objects

The DNS approval object describes how a certificate can be approved with DNS. DNS approval works by publishing a DNS record of a specific type with a specific name and value. If you have integrated your SSLMate account with your DNS provider, then you can ignore the approval objects returned by the API. Simply specify "dns" approval when creating the certificate object, and SSLMate will provision the DNS record for you.

DNS approval objects are found in the dns_approval attributes of certificate objects and SAN objects.

Attributes
options array An array of DNS approval option objects, any of which can be used to approve the certificate. Read-only

Example DNS approval object

{ "options": [ { "name": "_8f349882d442dbae4fa4e487f6c312f2.example.com.", "type": "NS", "value": "5.http-approval.sslmate.com." } ] }

The DNS approval option object

Describes the DNS record which you must publish to approve the certificate. The record must be of the given type, have the given name, and resolve to the given value.

Attributes
name string The fully-qualified name of the DNS record that must be published. Read-only
type string The type of the DNS record (e.g. NS or CNAME) that must be published. Read-only
value string The value of the DNS record that must be published. For TXT records, the value will contain the necessary quote characters; do not add your own. Read-only

Example DNS approval option

{ "name": "_8f349882d442dbae4fa4e487f6c312f2.example.com.", "type": "NS", "value": "5.http-approval.sslmate.com." }

Subject Alternative Names (SANs)

A SAN object describes the additional subject alternative name of a certificate. Only the additional SANs are represented by a SAN object; SSLMate always implicitly adds a SAN for the common name.

SAN objects are found in the sans array attribute of certificate and certificate instance objects. If the sans attribute is null, SSLMate adds a set of default SANs to the certificate.

To create a certificate with non-default SANs, pass a string containing a JSON array of SAN objects in the sans argument when creating the certificate.

To change an existing certificate's SANs, pass a string containing a JSON array of SAN objects in the sans argument to the certificate update endpoint. Then, reissue the certificate to issue a certificate with the updated SANs.

The SAN object

Attributes
type string The type of name. Currently only "dns" is supported. Read-only
value string The name itself. In the case of "dns" SANs, this is the hostname. Read-only
approval_method string How control over the name is verified: "email", "http", or "dns".
approver_email string The email address to which domain validation emails should be sent. This attribute is present if and only if approval_method is "email".
http_approval object This attribute is deprecated. To approve a certificate using HTTP, please set up an HTTP approval integration with your web server. Read-only
dns_approval object An approval object with DNS options describing how to approve this certificate over DNS. This attribute is present if and only if approval_method is "dns". Read-only

Example SAN

{ "type": "dns", "value": "subdomain.example.com", "approval_method": "email", "approver_email": "webmaster@example.com" }

Default SANs

If a certificate's sans attribute is null, SSLMate adds an automatic SAN using the below logic:

  • If the common name starts with www., SSLMate adds a SAN that is formed by removing the www. prefix.
  • If the common name starts with *., SSLMate adds a SAN that is formed by removing the *. prefix.
  • Otherwise, SSLMate adds a SAN that is formed by prefixing www. to the common name.

The automatically-added SAN uses the same approval method as the common name.

If you don't want your certificate to have the automatically-added SAN, set the sans attribute to the empty array.

Webhook

You can configure SSLMate to POST a certificate object, with current.crt and current.chain expanded, when a certificate is issued.

Visit your webhooks page to add a webhook endpoint.

Generating CSRs

The SSLMate API accepts and returns CSRs in PEM-encoded PKCS#10 format. CSRs must correspond to an RSA key of 2048, 3072, or 4096 bits, or to an ECDSA key on the NIST P-256 (secp256r1 / prime256v1) or NIST P-384 (secp384r1) curves. The CSR's distinguished name must contain the certificate's common name in the CN attribute, and a valid two-letter ISO country code (e.g. US) in the C attribute.

To programmatically generate a private key and a corresponding CSR for use with a certificate object, the following openssl command can be used:

openssl req -new -newkey rsa:2048 -nodes -subj /C=US/CN=COMMON_NAME -keyout KEYFILE

Replace COMMON_NAME with the certificate object's common name. The CSR will be written to standard out, which you should upload to SSLMate when creating or updating the certificate object. The private key will be saved to a file named KEYFILE.

You can also generate a private key and CSR using the sslmate req command (from the SSLMate client) as follows:

sslmate req --key-file=KEYFILE --csr-file=CSRFILE COMMON_NAME

The private key and CSR will be written to KEYFILE and CSRFILE, respectively. Either or both filenames may be - to write to standard out.

sslmate req is a standalone command that works without contacting SSLMate servers.

Cookbook of Common Operations

Buying a certificate
  1. If using HTTP approval, set up an HTTP approval integration for every hostname you need in the certificate.
  2. Generate a key and CSR.
  3. Create a certificate object with the CSR generated in step 2, and the desired approval method.
  4. If using DNS approval, and you haven't set up a DNS integration, publish the DNS record as described by the dns_approval attribute of the certificate object (as well as every SAN object, if using a multi-hostname certificate) returned in step 3. See the section on approval objects for details.
  5. Buy the certificate. Make note of the id attribute of the returned certificate instance object.
  6. If using email approval, you must now respond to the email sent to the address specified in the approver_email attribute of the certificate object (as well as every SAN object, if using a multi-hostname certificate).
  7. Retrieve the certificate instance with the ID of the certificate instance object returned in step 5, repeating as necessary until the certificate instance's state becomes active. (This typically takes 30-60 seconds. You can use the poll argument to long-poll.) When retrieving the certificate instance, ask for the crt and chain attributes to be expanded. Once the instance is active, you will find the X509 certificate in the crt attribute, and the chain certificate(s) in the chain attribute.
Renewing a certificate

If a certificate's auto_renew attribute is false, then complete steps 4 through 7 of "Buying a certificate" above. There is no need to generate a new CSR or update the existing certificate object.

If a certificate's auto_renew attribute is true and you have integrated your HTTP server or DNS provider with SSLMate as described in the approval documentation, then SSLMate will automatically request a new certificate for you before the current certificate expires. Once issued, the new certificate instance will be available under the current attribute of the certificate object. You can also receive the new certificate via a webhook.

Rekeying a certificate
  1. Generate a new key and CSR.
  2. Update the certificate object with the CSR generated in step 1.
  3. If using DNS approval, and you haven't set up a DNS integration, publish the DNS record as described by the dns_approval attribute of the certificate object (as well as every SAN object, if using a multi-hostname certificate) returned in step 2. See the section on approval objects for details.
  4. Reissue the certificate. Make note of the id attribute of the returned certificate instance object.
  5. Complete steps 6 through 7 of "Buying a certificate" above.