SSLMate

Help

This documentation applies to the Basic SSLMate service. If you are using SSLMate for SaaS, please see the SSLMate Agent Help instead.

Buy a Certificate

Run:

sslmate buy DOMAIN...

  • DOMAIN is the hostname or wildcard domain that you need the certificate to secure, such as example.com, www.example.com, subdomain.example.com, or *.example.com.

  • For a wildcard domain, specify a DOMAIN like *.example.com.

  • If you need to secure multiple hostnames or wildcard domains, specify them as multiple arguments to sslmate buy.

  • The certificate's auto-renewal setting will be set to your account's default auto-renewal setting. To override, specify the --auto-renew or --no-auto-renew options.

  • For other options, run sslmate help buy or consult the sslmate(1) man page.

You will be required to prove that you are authorized to obtain a certificate for each DOMAIN, by responding to an email, publishing a DNS record, or configuring your web server. For more information, including how to automate this process, see the certificate approval documentation.

After the sslmate command completes, four files will be placed in your key and cert directories (/etc/sslmate by default when running as root):

  • example.com.key - the private key
  • example.com.crt - the certificate
  • example.com.chain.crt - the certificate chain (aka intermediate cert)
  • example.com.chained.crt - a concatenation of the certificate and the chain, for convenience

Configure Your Server

You should configure your server software with the above files. Consult your software's documentation, or use the config guide below.

Choose your software:

Apache

SSLEngine on

SSLCertificateKeyFile /etc/sslmate/example.com.key

SSLCertificateFile /etc/sslmate/example.com.chained.crt

Apache (with recommended security settings)

SSLEngine on

SSLCertificateKeyFile /etc/sslmate/example.com.key

SSLCertificateFile /etc/sslmate/example.com.chained.crt

# Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder on

SSLCompression off

# Enable this if you want HSTS (recommended)

# Header add Strict-Transport-Security "max-age=15768000"

nginx

ssl on;

ssl_certificate_key /etc/sslmate/example.com.key;

ssl_certificate /etc/sslmate/example.com.chained.crt;

nginx (with recommended security settings)

ssl on;

ssl_certificate_key /etc/sslmate/example.com.key;

ssl_certificate /etc/sslmate/example.com.chained.crt;

# Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

ssl_prefer_server_ciphers on;

ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem;

ssl_session_timeout 5m;

ssl_session_cache shared:SSL:5m;

# Enable this if you want HSTS (recommended)

# add_header Strict-Transport-Security max-age=15768000;

Lighttpd

ssl.engine = "enable"

ssl.pemfile = "__COMBINED_PATH__"

Lighttpd (with recommended security settings)

ssl.engine = "enable"

ssl.pemfile = "__COMBINED_PATH__"

# Recommended ciphers from https://wiki.mozilla.org/Security/Server_Side_TLS

ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

ssl.honor-cipher-order = "enable"

# lighttpd >= 1.4.29 only:

#ssl.dh-file = /usr/share/sslmate/dhparams/dh2048-group14.pem"

# lighttpd < 1.4.21 only:

#ssl.use-sslv2 = "disable"

# lighttpd >= 1.4.29 only:

#ssl.use-sslv3 = "disable"

stunnel

key = /etc/sslmate/example.com.key

cert = /etc/sslmate/example.com.chained.crt

stunnel (with recommended security settings)

key = /etc/sslmate/example.com.key

cert = /etc/sslmate/example.com.chained.crt

; Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS

options = NO_SSLv2

options = NO_SSLv3

options = CIPHER_SERVER_PREFERENCE

options = NO_COMPRESSION

ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

titus

key /etc/sslmate/example.com.key

cert /etc/sslmate/example.com.chained.crt

titus (with recommended security settings)

key /etc/sslmate/example.com.key

cert /etc/sslmate/example.com.chained.crt

# Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS

ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Dovecot 2

ssl_key = </etc/sslmate/example.com.key

ssl_cert = </etc/sslmate/example.com.chained.crt

Dovecot 2 (with recommended security settings)

ssl_key = </etc/sslmate/example.com.key

ssl_cert = </etc/sslmate/example.com.chained.crt

# Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS

ssl_protocols = !SSLv2 !SSLv3

ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

# Note: ssl_dh_parameters_length is only available in Dovecot 2.2.7 and higher:

ssl_dh_parameters_length = 2048

Postfix

smtp_tls_security_level = may

smtpd_tls_security_level = may

smtpd_tls_key_file = /etc/sslmate/example.com.key

smtpd_tls_cert_file = /etc/sslmate/example.com.chained.crt

Postfix (with recommended security settings)

smtp_tls_security_level = may

smtpd_tls_security_level = may

smtpd_tls_key_file = /etc/sslmate/example.com.key

smtpd_tls_cert_file = /etc/sslmate/example.com.chained.crt

# Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

smtpd_tls_mandatory_ciphers = high

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

smtp_tls_mandatory_ciphers = high

tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

smtpd_tls_dh1024_param_file = /usr/share/sslmate/dhparams/dh2048-group14.pem

Prosody

ssl = {

key = "/etc/sslmate/example.com.key";

certificate = "/etc/sslmate/example.com.chained.crt";

}

Prosody (with recommended security settings)

ssl = {

key = "/etc/sslmate/example.com.key";

certificate = "/etc/sslmate/example.com.chained.crt";

-- Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS

options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };

ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

-- Note: dhparam is only available in Prosody 0.9.1 and higher:

dhparam = "/usr/share/sslmate/dhparams/dh2048-group14.pem";

}

Remember to restart your server software after changing its configuration. Note that Apache must be fully restarted after changing certificate configuration; a reload is not sufficient.

Test Your Server

After configuring your server, you can use the sslmate test command to make sure that your certificate has been properly installed:

sslmate test DOMAIN

For more information about sslmate test, run sslmate help test or consult the sslmate(1) man page.

Next step: Set up a cron job to run sslmate download for renewals.

See also: Certificate approval process

Get Started with SSLMate Today

Click to sign up