Skip to content

Configure SSLMate (for advanced users)

The sslmate command is configured by the global config file, /etc/sslmate.conf, as well as your personal config file, .sslmate in your home directory. Options in your personal config file override options in the global config file.

SSLMate config files contain one configuration option per line of the form NAME VALUE. Blank lines and lines starting with # are ignored.

The options are:

  • api_key – your API key, which can be found on your account page. This option is automatically set when you run sslmate link.

  • key_directory and cert_directory – the directories where SSLMate places keys and certificates. When running as root, the default is /etc/sslmate. When running as non-root, the default is the current working directory.

  • cert_format.NAME – enable (by setting to "yes") or disable (by setting to "no") the given certificate format, where NAME is one of the following formats:

    • chained – a concatenation of the certificate and intermediate certificate chain, in PEM encoding. (Enabled by default.)
    • combined – a concatenation of the private key, certificate, and intermediate certificate chain, in PEM encoding.
    • p12 – a PKCS#12 (also known as PFX) file containing the private key, certificate, and intermediate certificate chain. The password for the file is sslmate.
    • jks – a Java keystore file containing the private key, certificate, and intermediate certificate chain. The password for the file is sslmate.
    • root – the root certificate, in PEM encoding.
    • chain+root – the intermediate certificate chain, including the root certificate, in PEM encoding.
  • wildcard_filename – when creating files for wildcard certificates, use the specified prefix in the filename instead of a * character.

  • key_type – the type of key to generate by default when buying or reissuing a certificate ("rsa" or "ecdsa"). You should leave this set to the default (RSA) unless you know what you are doing. Consult the sslmate(1) man page for more information.

  • api_endpoint – the URL to the SSLMate API endpoint. You only need to set this option if you are using the sandbox.

Example Config File

# This is a comment. api_key 131_4Hhw7TekU2LwhglRdHHm # Also create PKCS#12 and "combined" files: cert_format.p12 yes cert_format.combined yes # Use "wildcard" instead of "*" in wildcard cert filenames: wildcard_filename wildcard

Profiles

You can specify a non-default configuration profile by passing the --profile=PROFILE flag to sslmate. If this flag is specified, the string -PROFILE is appended to the paths of the configuration file and default key and certificate directories.

For example, if --profile=company is used, the global configuration file is /etc/sslmate-company.conf and the default certificate directory is /etc/sslmate-company, instead of /etc/sslmate.conf and /etc/sslmate.

Configuration profiles are intended for those who need to use several different SSLMate accounts on a single server, since each configuration file can contain distinct SSLMate API credentials.

Alternative Config Location

By default, your personal config file is read from $HOME/.sslmate. To change the location of your personal config file, set the $SSLMATE_CONFIG environment variable.

A Note About Cron

When sslmate is invoked by cron, your personal config file will not be read if cron does not set the $HOME environment variable. To avoid problems, only use the global config file, or explicitly set $SSLMATE_CONFIG when running sslmate from cron.