DNS approval requires you to publish a DNS record under each hostname
for which you want to obtain a certificate. For example, acquiring a
host.example.com may require publishing
a record at
The certificate authority queries for the record and only
issues a certificate if the correct record is found.
If you integrate SSLMate with your DNS provider, SSLMate will automatically add the DNS record, allowing fully automated provisioning and renewal of certificates.
Supported DNS providers
SSLMate integrates with the following DNS providers:
- DNS Made Easy
- Google Cloud DNS
- Route 53
To integrate with one of these providers, visit your integrations page.
How to use DNS approval
First, visit your integrations page to integrate SSLMate with the DNS providers which host the domains for which you need to obtain certificates.
Then, specify the
--approval=dns flag when ordering a certificate
sslmate command, or set the
approval field to
dns when ordering a certificate
with the REST API.
SSLMate will automatically publish the required DNS record under your domain. When the certificate renews, SSLMate will add another record to automatically approve the renewal. When a record is no longer required, SSLMate will remove it.
To change an existing certificate to use DNS approval, run:
sslmate edit NAME --approval=dns.
Manual DNS approval
If SSLMate doesn't support your DNS provider, you can add the DNS record manually.
--approval=dns option to
sslmate will display a DNS record, in
standard zone file format,
which you must add to your DNS.
Once added, press enter to complete your purchase.
Once the DNS record is published, leave it in place as long as the certificate is still in use, since it will be re-verified when your certificate renews. Note that rekeying a certificate requires you to replace the DNS record with a new one. Renewing a certificate will reuse the existing DNS record.
To verify that the DNS records for a certificate are correctly published, run:
sslmate retry-approval NAME. If the records are not correctly
published, SSLMate will output them again. If they are correctly published, SSLMate
will proceed to issue the certificate.