Certificate Approval Process

To purchase, reissue, or renew a certificate, you must demonstrate that you have control over each hostname in the certificate, using one of the three approval methods described on this page.

For wildcard hostnames, you must demonstrate control over the hostname that is formed by removing the wildcard prefix. For example, to get a certificate for *.subdomain.example.com, you must demonstrate control over subdomain.example.com.

For standard certificates for hostnames starting with www., you must demonstrate control over the hostname that is formed by removing the www. prefix. For example, to get a standard certificate for www.example.com, you must demonstrate control over example.com. This rule does not apply to multi-hostname certificates.

Email approval (manual)

Email approval is a simple but manual way to approve a certificate. When purchasing a certificate, you select from a list of acceptable administrative email addresses, and follow a link in an email sent to that address.

Email approval is best when you need a one-off certificate quickly. Since email approval is not automated, it should generally be avoided.

For more information, consult the email approval page.

DNS approval (automated)

DNS approval requires you to publish a special DNS record in your domain's DNS zone. You can integrate SSLMate with your DNS provider so SSLMate can automatically add the DNS record, allowing fully automated provisioning and renewal of certificates.

DNS approval is best when you own the domains for which you need certificates.

To use DNS approval, first configure your account to integrate with your DNS provider. Then specify the --approval=dns option when running sslmate buy.

For more information, consult the DNS approval page.

HTTP approval (automated)

HTTP approval requires you to publish a special file on your domain's web server under a special directory reserved for certificate approval. You can configure your web server to proxy this directory to SSLMate so SSLMate can automatically publish the file, allowing fully automated provisioning and renewal of certificates.

HTTP approval is best when you host websites on behalf of customers who delegate their (sub-)domains to servers you operate.

To use HTTP approval, first configure your web server to proxy approval checks to SSLMate. Then specify the --approval=http option when running sslmate buy.

For more information, consult the HTTP approval page.

Changing the approval method

The approval method of an existing or pending certificate can be changed by passing the --approval option to sslmate edit. The new approval method will be used for future reissues and renewals. If the certificate is still pending approval, then the process will be restarted with the new approval method. Consult the sslmate(1) man page for details.

Multi-hostname certificates

When purchasing or renewing a multi-hostname certificate, each hostname in the certificate must be approved. If the same approver email address is used for multiple hostnames, only a single email is sent to that address.

When reissuing a multi-hostname certificate, only new hostnames must be approved, as long as the private key hasn't changed. If the private key has changed, then all existing hostnames on the certificate must be re-approved.

Get Started with SSLMate Today

Buy a new certificate, or import your existing certs for free.

Click to sign up