Getting Started with SSLMate
This is a tutorial for how to acquire your first certificate from SSLMate. It will teach you how to install SSLMate, purchase or import a certifiate, configure your certificate, and set up automated renewal.
These instructions assume that you are using the default SSLMate configuration, and that you are running SSLMate as root on the server where the certificate needs to reside. Although it's possible to run SSLMate as a non-root user on a desktop or laptop, running SSLMate on your server is best because it eliminates the need to copy files around and lets you use automated renewals.
For general documentation, consult the other pages in the help section.
1. Install SSLMate
2. Buy or Import a Certificate
Buy a Certificate
To buy a new certificate, run the following command and follow the prompts:
sslmate buy HOSTNAME
HOSTNAME is the name for the certificate (also known as the "common
name" or "CN"), such as
www.example.com. For a wildcard cert, use
*.example.com. Note that a certificate purchased for
is also valid for
As part of the process, you will be required to respond to an email or add a DNS record at your domain to confirm that you control the domain. For more information, see the certificate approval section.
For advanced purchasing options, see the buy documentation.
Import a Certificate
To import a certificate you already own to your SSLMate account, run:
sslmate import KEYFILE CERTFILE
KEYFILE is path to the certificate's private key file. Note: your private key is not uploaded to SSLMate; the SSLMate client only uses it to generate a certificate signing request.
CERTFILE is path to the certificate file.
3. Configure Your Server Software (Apache, nginx, etc.)
By default, SSLMate stores keys and certificates in the
directory. You should configure your server software to refer to keys
and certificates in
/etc/sslmate instead of moving these files to a
different directory. (If you've imported certificates, you should
update your current server configuration to refer to these new paths.)
Keeping keys and certificates in their standard SSLMate location will
make automated renewals work more smoothly.
SSLMate creates four files for every certificate:
example.com.key- the private key
example.com.crt- the certificate
example.com.chain.crt- the certificate chain (aka intermediate cert)
example.com.chained.crt- concatenation of the certificate and the chain
You need to configure your server software with
the private key file (
.key) and some combination of the
.crt files. Some software requires you to specify the
.crt) and the chain
.chain.crt) in separate files, while other software
requires you to specify both in a single file (
Consult your software's documentation, or use the config guide below.
Remember to restart your server software after changing its configuration. Note that Apache must be fully restarted after changing certificate configuration; a reload is not sufficient.
4. Test Your Server
After configuring your server, you can use the
sslmate test command to
make sure that your certificate has been properly installed:
sslmate test HOSTNAME
5. Set Up Automated Renewals
After buying or importing a certificate, you may want to set up your server to periodically download new versions of the certificate. Then, when the certificate auto-renews, your server will automatically get the renewed certificate.
The best way to do this is to set up a daily cron job that runs
sslmate download. If sslmate download exits with status 0,
new certificates were downloaded and you should restart your server software
so that it loads the updated certificate files.
For example, the following cron script,
downloads the latest certificates, and restarts Apache
(on Debian/Ubuntu) if a new certificate was downloaded:
#!/bin/sh if sslmate download --all > /dev/null then service apache2 restart > /dev/null fi
- Make sure your script is executable (
chmod +x /etc/cron.daily/sslmate).
- If you installed sslmate by hand in a non-standard location, make sure to specify the full path to sslmate.
Your server must be linked with your SSLMate account for
sslmate downloadto work. To link your server, run
sslmate linkas root, or create a config file with your API key, as found on your account page.
Remember, sslmate puts certs in
/etc/sslmateby default, so make sure your server software reads certs from this location!
- Double-check your certificate dashboard to make sure your certificate is set to auto-renew (this is the default).