HTTP Approval

HTTP approval requires you to publish a file on the website for each hostname for which you want to obtain a certificate. For example, acquiring a certificate for may require publishing a file at The certificate authority fetches the file and only issues a certificate if the correct file contents are found.

The file must be published under the /.well-known/pki-validation or /.well-known/acme-challenge directories, which are reserved by the Internet Assigned Numbers Authority for certificate approval. If you configure your web server to proxy these two directories to SSLMate, SSLMate will automatically publish the required files, allowing fully automated provisioning and renewal of certificates.

The file must be available over HTTP on port 80. For standard certificates for hostnames starting with www., the file must be available at the hostname formed by removing the www. prefix. HTTP redirects are not followed, except to HTTPS (port 443) on the exact same hostname. If a redirect is followed to port 443, an SSL certificate must be present but it does not need to be valid.

HTTP approval is best if you're a SaaS provider or marketing agency who hosts websites on your customers' (sub-)domains. Once your customer points their (sub-)domain to your web server, you can use HTTP approval to obtain a certificate for the (sub-)domain, without your customer needing to respond to an email or publish an additional DNS record.

To use HTTP approval, first configure your web server to proxy the two directories to SSLMate. Then, specify the --approval=http flag when ordering a certificate with the sslmate command, or set the approval field to http when ordering a certificate with the REST API.

To change an existing certificate to use HTTP approval, run: sslmate edit NAME --approval=http.

Get Started with SSLMate Today

Buy a new certificate, or import your existing certs for free.

Click to sign up