Cert Spotter can now monitor certificate installation on any combination of port numbers, including SMTP ports that use STARTTLS. (Support for more STARTTLS protocols is planned.)
Custom port monitoring is available on the Startup plan and higher. To set up, visit your Cert Spotter settings and click the "Settings" link next to the domain whose ports you want to customize. By default, it will affect sub-domains too. If you want to set a custom port for just a sub-domain, you can add the sub-domain to your watch list (uncheck the "also monitor sub-domains" box) and then click the "Settings" link for the sub-domain; the port settings will override the domain-wide settings.
If you have domains that use anycast IP addresses or DNS-based load balancing, certificate installation problems might only be visible in some parts of the world. These problems can be tricky to debug, but Cert Spotter can now help by monitoring your domains from 10 different locations spread across every continent except Antarctica.
Multiple vantage point monitoring is available and automatically enabled on the Business plan.
You can now configure Cert Spotter to send an HTTP POST request to your server when it detects an unknown certificate. Read the documentation or visit your account settings to add a webhook.
You can now receive Slack notifications of the following events:
The unknown certificate notifications are interactive, and contain a button to acknowledge the certificate to let your teammates know that the certificate is legitimate.
To set up Slack notifications, visit your account settings.
You can now configure the expiration threshold (number of days before expiration when Cert Spotter begins warning you about an expiring certificate) on a per-domain basis.
To configure a domain's expiration threshold, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.
If you want to configure the expiration threshold for a sub-domain
of one of your monitored domains (e.g. example.com
should be 30 days,
but blog.example.com
should be 15 days), then you'll need to first add the sub-domain
to your monitored domains list, and then change the settings for the newly-added
sub-domain. The settings for the sub-domain will override the settings
for the parent domain.
You can integrate Cert Spotter with your DNS provider, and several times a day we will sync the domains in your DNS account to your Cert Spotter watch list. Visit your integrations page to get started. We currently support Cloudflare, DNSimple, DNS Made Easy, DigitalOcean, Gandi, Google Cloud DNS, Linode, Name.com, NS1, and Route 53, and can add support for any provider with a suitable API (contact us to request support for your provider).
You can now use a simple REST API to add, remove, and list domains on your Cert Spotter watch list. Check out the API docs.
SSLMate now integrates with Name.com to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Name.com, you can set up an integration by visiting your integrations page.
The Certificate Transparency Search API's issuer object now includes the following fields to help you better identify certificate issuers:
friendly_name
- the name of the organization which issued the certificate. This field is more accurate and helpful than the existing name
field.website
(only present if expanded) - the URL of the issuer's websitecaa_domains
(only present if expanded) - the domain names which can be placed in a CAA record to authorize the issueroperator
(only present if expanded) - information about the organization which controls the issuer's private keyname_der
(only present if expanded) - the issuer's DER-encoded distinguished namepubkey_der
(only present if expanded) - the issuer's DER-encoded public keyThe issuance object now includes the following fields:
problem_reporting
(only present if expanded) - instructions on how to request the certificate be revokedcert_sha256
- the SHA-256 certificate fingerprint (previously found in the cert
sub-object)cert_der
(only present if expanded) - the DER-encoded certificate (previously found in the cert
sub-object)SSLMate now integrates with Gandi to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Gandi, you can set up an integration by visiting your integrations page.
The Certificate Transparency Search API's
issuance object
now includes a boolean field named revoked
that indicates if the certificate is revoked.
This field is generally true or false, but in rare cases (discussed in the API docs),
it may be null if the revocation status of the certificate is unknown.
If you include expand=revocation
in the
query string, the issuance object will also include a field named
revocation
containing additional details, such as the time
of and reason for the revocation. See the API docs for details.
Your account can now have more than one API key, and you can restrict API keys to specific operations, so that your API clients have no more permissions than necessary.
To manage your API keys, visit your API Keys page.
Note that API keys are now prefixed with a k
(e.g. k1234_5NPqGgwWU6AJu6
instead of 1234_5NPqGgwWU6AJu6
). For backwards compatibility, the old format (without the k
) is still accepted for existing API keys.
You can now configure authorized certificate authorities
on a per-domain basis. For example, you can express
that your domain example.com
uses Sectigo certificates, but
example.net
uses Let's Encrypt.
To configure a domain's authorized CA list, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.
If you want to configure the authorized CAs for a sub-domain
of one of your monitored domains (e.g. example.com
uses Sectigo, but blog.example.com
uses Let's Encrypt), then you'll need to first add the sub-domain
to your monitored domains list, and then change the settings for the newly-added
sub-domain. The settings for the sub-domain will override the settings
for the parent domain.
As of SSLMate CLI 1.9.0, client-side DNS approval handlers are deprecated and will be removed in SSLMate CLI 2 in favor of SSLMate's server-side DNS integration system. If you use DNS to automatically approve certificates, please integrate your SSLMate account with your DNS provider if you haven't done so already.
Previously, SSLMate's APIs returned times with an "unknown" timezone (represented
by -00:00
per RFC 3339 syntax). This was unintentional, since the times
are known to be UTC. Therefore, the APIs now return times with a UTC timezone
(represented by Z
).
Old: 2021-07-20T21:12:18-00:00
New: 2021-07-20T21:12:18Z
When using HTTP approval with single-hostname certificates from SSLMate Basic, it is now necessary to explicitly validate both the original hostname and the automatically-added second hostname. If you use HTTP approval with SSLMate Basic, you may need to make some changes to your issuance procedures. Please see the document describing the changes and get in touch if you need assistance.
When acquiring certificates through SSLMate, it is no longer possible to use HTTP approval to validate wildcard domains. Any newly-issued or renewed certificates must instead use DNS or email approval to validate wildcard domains.
If your account currently has an active wildcard certificate that was validated using HTTP approval: you have a temporary exception to this change until 2021-09-01 00:00 UTC to give you time to adapt your issuance procedures. If you need any help or advice, please get in touch.
Why this change is being made: since HTTP validation proves control over a single hostname, it does not provide adequate security for wildcard certificates, which certify an entire domain namespace. We expect that the CA/Browser Forum (the industry group that regulates the issuance of certificates) will ban the use of HTTP validation for wildcards in the near future. We are announcing the change now to give our customers time to adapt.
Cert Spotter now automatically checks your endpoints for compliance with browser Certificate Transparency policies and will alert you if an endpoint is not compliant. You generally don't need to worry about Certificate Transparency policy compliance since it's your certificate authority's job, but a recent change to Apple's Certificate Transparency policy caught some certificate authorities off-guard.
Cert Spotter now automatically monitors your domains for MTA-STS problems, and can optionally automate the publication of correct MTA-STS policies. Read our blog post to learn more.
Certificates managed by SSLMate Agent will now be renewed using the following schedule:
Certificates not managed by SSLMate Agent will continue to auto-renew 30 days before expiration, as now.
This change is being made to provide consistency across all types of certificates: renewed certificates will always be deployed 30 days prior to expiration of the current certificate, regardless of the certificate's product type or whether it's managed by SSLMate Agent. Additionally, a 30 day deployment schedule aligns with Cert Spotter's default behavior to warn about certificates that are expiring in 28 days or less.