Certificate Approval Process

To purchase, reissue, or renew a certificate, you must demonstrate that you have control over each hostname in the certificate, using one of the three approval methods described on this page.

For wildcard hostnames, you must demonstrate control over the hostname that is formed by removing the wildcard prefix. For example, to get a certificate for *.subdomain.example.com, you must demonstrate control over subdomain.example.com.

For standard certificates for hostnames starting with www., you must demonstrate control over the hostname that is formed by removing the www. prefix. For example, to get a standard certificate for www.example.com, you must demonstrate control over example.com.

Email approval (manual)

Email approval requires you to click a link in an email sent to an acceptable administrative email addresses for the hostname.

Email approval is best when you need a one-off certificate quickly. Since email approval is not automated, it should generally be avoided. The SSLMate for SaaS service does not support email approval.

For more information, consult the email approval page.

DNS approval (automated)

DNS approval requires you to publish a DNS record in your domain's DNS zone. You can integrate SSLMate with your DNS provider so SSLMate can automatically publish the DNS record, allowing fully automated provisioning and renewal of certificates.

DNS approval is best when you own the domains for which you need certificates.

To use DNS approval, first configure your account to integrate with your DNS provider. Then, specify the --approval=dns flag when ordering a certificate with the sslmate command, or set the approval field to dns when ordering a certificate with the REST API.

For more information, consult the DNS approval page.

HTTP approval (automated)

HTTP approval requires you to publish a file on the web server for the hostname, under one of two special directories reserved for certificate approval. You can configure your web server to proxy these two directories to SSLMate so SSLMate can automatically publish the file, allowing fully automated provisioning and renewal of certificates.

HTTP approval is best if you're a SaaS provider or marketing agency who hosts websites on your customers' (sub-)domains. Once your customer points their (sub-)domain to your web server, you can use HTTP approval to obtain a certificate for the (sub-)domain, without your customer needing to respond to an email or publish an additional DNS record.

To use HTTP approval, first configure your web server to proxy the two certificate approval directories to SSLMate. Then, specify the --approval=http flag when ordering a certificate with the sslmate command, or set the approval field to http when ordering a certificate with the REST API.

For more information, consult the HTTP approval page.

Changing the approval method

The approval method of an existing or pending certificate can be changed by passing the --approval option to sslmate edit. The new approval method will be used for future reissues and renewals. If the certificate is still pending approval, then the process will be restarted with the new approval method. Consult the sslmate(1) man page for details.

Multi-hostname certificates

When purchasing or renewing a multi-hostname certificate, each hostname in the certificate must be approved. If the same approver email address is used for multiple hostnames, only a single email is sent to that address.

When reissuing a multi-hostname certificate, only new hostnames must be approved, as long as the private key hasn't changed. If the private key has changed, then all existing hostnames on the certificate must be re-approved.

Get Started with SSLMate Today

Buy a new certificate, or import your existing certs for free.

Click to sign up