1. Install SSLMate

2. Buy a Certificate

To buy a new certificate, run the following command and follow the prompts:

DOMAIN is the hostname or wildcard domain that you need the certificate to secure, such as example.com, www.example.com, subdomain.example.com, or *.example.com.

If you need to secure multiple hostnames or wildcard domains, you can specify them as multiple arguments to sslmate buy.

You will be required to prove that you are authorized to obtain a certificate for each DOMAIN, by responding to an email, publishing a DNS record, or configuring your web server. For more information, including how to automate this process, see the certificate approval documentation.

For advanced purchasing options, see the buy documentation.

3. Configure Your Server Software (Apache, nginx, etc.)

By default, SSLMate stores keys and certificates in the /etc/sslmate directory. You should configure your server software to refer to keys and certificates in /etc/sslmate instead of moving these files to a different directory. Keeping keys and certificates in their standard SSLMate location will make automated renewals work more smoothly.

SSLMate creates four files for every certificate:

• example.com.key - the private key
• example.com.crt - the certificate
• example.com.chain.crt - the certificate chain (aka intermediate cert)
• example.com.chained.crt - concatenation of the certificate and the chain

You need to configure your server software with the private key file (.key) and some combination of the .crt files. Some software requires you to specify the certificate (.crt) and the chain (.chain.crt) in separate files, while other software requires you to specify both in a single file (.chained.crt). Consult your software's documentation, or use the config guide below.

Remember to restart your server software after changing its configuration. Note that Apache must be fully restarted after changing certificate configuration; a reload is not sufficient.

4. Test Your Server

After configuring your server, you can use the sslmate test command to make sure that your certificate has been properly installed:

5. Set Up Automated Renewals

After buying a certificate, you may want to set up your server to periodically download new versions of the certificate. Then, when the certificate auto-renews, your server will automatically get the renewed certificate.

The best way to do this is to set up a daily cron job that runs sslmate download. If sslmate download exits with status 0, new certificates were downloaded and you should restart your server software so that it loads the updated certificate files.

1. Create a config file in /etc/sslmate.conf containing your API credentials.

2. Create a cron script, /etc/cron.daily/sslmate, that downloads the latest certificates and restarts your web server. In the following example, Apache is restarted. You should adapt this example to use the appropriate command for restarting your web server.

   #!/bin/sh if sslmate download --all > /dev/null then # Replace the following line with the command to restart your web server: service apache2 restart > /dev/null fi

3. Make your cron script executable by running: chmod +x /etc/cron.daily/sslmate

Note:

• If you installed sslmate by hand in a non-standard location, make sure to specify the full path to sslmate.
• Remember, sslmate puts certs in /etc/sslmate by default, so make sure your server software reads certs from this location!
• Double-check your certificate console to make sure your certificate is set to auto-renew (this is the default).

6. Learn More

Check out our extensive help section, run sslmate help, or consult the sslmate(1) man page to learn about the other features of SSLMate.