Getting Started with SSLMate
This is a tutorial for how to acquire your first certificate from SSLMate. It will teach you how to install SSLMate, purchase a certifiate, configure your certificate, and set up automated renewal.
These instructions assume that you are using the default SSLMate configuration, and that you are running SSLMate as root on the server where the certificate needs to reside. It's also possible to run SSLMate as a non-root user on a desktop or laptop, but running SSLMate on your server is best because it eliminates the need to copy files around and lets you use automated renewals.
For general documentation, consult the other pages in the help section.
1. Install SSLMate
2. Buy a Certificate
To buy a new certificate, run the following command and follow the prompts:
sslmate buy DOMAIN
DOMAIN is the hostname or wildcard domain that you need the
certificate to secure, such as
If you need to secure multiple hostnames or wildcard domains, you can specify
them as multiple arguments to
You will be required to prove that you are authorized to obtain a certificate for each DOMAIN, by responding to an email, publishing a DNS record, or configuring your web server. For more information, including how to automate this process, see the certificate approval documentation.
For advanced purchasing options, see the buy documentation.
3. Configure Your Server Software (Apache, nginx, etc.)
By default, SSLMate stores keys and certificates in the
directory. You should configure your server software to refer to keys
and certificates in
/etc/sslmate instead of moving these files to a
Keeping keys and certificates in their standard SSLMate location will
make automated renewals work more smoothly.
SSLMate creates four files for every certificate:
example.com.key- the private key
example.com.crt- the certificate
example.com.chain.crt- the certificate chain (aka intermediate cert)
example.com.chained.crt- concatenation of the certificate and the chain
You need to configure your server software with
the private key file (
.key) and some combination of the
.crt files. Some software requires you to specify the
.crt) and the chain
.chain.crt) in separate files, while other software
requires you to specify both in a single file (
Consult your software's documentation, or use the config guide below.
Remember to restart your server software after changing its configuration. Note that Apache must be fully restarted after changing certificate configuration; a reload is not sufficient.
4. Test Your Server
After configuring your server, you can use the
sslmate test command to
make sure that your certificate has been properly installed:
sslmate test DOMAIN
5. Set Up Automated Renewals
After buying a certificate, you may want to set up your server to periodically download new versions of the certificate. Then, when the certificate auto-renews, your server will automatically get the renewed certificate.
The best way to do this is to set up a daily cron job that runs
sslmate download. If sslmate download exits with status 0,
new certificates were downloaded and you should restart your server software
so that it loads the updated certificate files.
Create a config file in
/etc/sslmate.confcontaining your API credentials.
Create a cron script,
/etc/cron.daily/sslmate, that downloads the latest certificates and restarts your web server. In the following example, Apache is restarted. You should adapt this example to use the appropriate command for restarting your web server.
#!/bin/sh if sslmate download --all > /dev/null then # Replace the following line with the command to restart your web server: service apache2 restart > /dev/null fi
Make your cron script executable by running:
chmod +x /etc/cron.daily/sslmate
- If you installed sslmate by hand in a non-standard location, make sure to specify the full path to sslmate.
Remember, sslmate puts certs in
/etc/sslmateby default, so make sure your server software reads certs from this location!
- Double-check your certificate console to make sure your certificate is set to auto-renew (this is the default).