Skip to content

DNS Approval

DNS approval requires you to publish a DNS record under each hostname for which you want to obtain a certificate. For example, acquiring a certificate for host.example.com may require publishing a record at _d41d8cd98f00b204e9800998ecf8427e.host.example.com. The certificate authority queries for the record and only issues a certificate if the correct record is found.

If you integrate SSLMate with your DNS provider, SSLMate will automatically add the DNS record, allowing fully automated provisioning and renewal of certificates.

Supported DNS providers

SSLMate integrates with the following DNS providers:

  • Cloudflare
  • DNSimple
  • DNS Made Easy
  • DigitalOcean
  • Gandi
  • Google Cloud DNS
  • Linode
  • Name.com
  • NS1
  • Route 53

To integrate with one of these providers, visit your integrations page.

How to use DNS approval

First, visit your integrations page to integrate SSLMate with the DNS providers which host the domains for which you need to obtain certificates.

Then, specify the --approval=dns flag when ordering a certificate with the sslmate command, or set the approval field to dns when ordering a certificate with the REST API.

SSLMate will automatically publish the required DNS record under your domain. When the certificate renews, SSLMate will add another record to automatically approve the renewal. When a record is no longer required, SSLMate will remove it.

To change an existing certificate to use DNS approval, run: sslmate edit NAME --approval=dns.

Manual DNS approval

If SSLMate doesn't support your DNS provider, you can add the DNS record manually. Pass the --approval=dns option to sslmate buy. sslmate will display a DNS record, in standard zone file format, which you must add to your DNS. Once added, press enter to complete your purchase.

Once the DNS record is published, leave it in place as long as the certificate is still in use, since it will be re-verified when your certificate renews. Note that rekeying a certificate requires you to replace the DNS record with a new one. Renewing a certificate will reuse the existing DNS record.

To verify that the DNS records for a certificate are correctly published, run: sslmate retry-approval NAME. If the records are not correctly published, SSLMate will output them again. If they are correctly published, SSLMate will proceed to issue the certificate.