Skip to content

Getting Started with SSLMate

This is a tutorial for how to acquire your first certificate from SSLMate. It will teach you how to install SSLMate, purchase a certifiate, configure your certificate, and set up automated renewal.

These instructions assume that you are using the default SSLMate configuration, and that you are running SSLMate as root on the server where the certificate needs to reside. It's also possible to run SSLMate as a non-root user on a desktop or laptop, but running SSLMate on your server is best because it eliminates the need to copy files around and lets you use automated renewals.

For general documentation, consult the other pages in the help section.

1. Install SSLMate

Choose your operating system:

Debian 12 (Bookworm)

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/bookworm/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/bookworm/sslmate.gpg

apt-get update

apt-get install sslmate

Debian 11 (Bullseye)

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/bullseye/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/bullseye/sslmate.gpg

apt-get update

apt-get install sslmate

Debian 10 (Buster)

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/buster/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/buster/sslmate.gpg

apt-get update

apt-get install sslmate

Debian 9 (Stretch)

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/stretch/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/stretch/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 23.10

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu2310/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu2310/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 23.04

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu2304/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu2304/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 22.10

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu2210/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu2210/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 22.04

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu2204/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu2204/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 20.04

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu2004/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu2004/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 18.04

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu1804/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu1804/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 16.04

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu1604/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu1604/sslmate.gpg

apt-get update

apt-get install sslmate

Ubuntu 14.04

Prerequisite: the ca-certificates package must be installed.

wget -O /etc/apt/sources.list.d/sslmate1.list https://sslmate.com/apt/ubuntu1404/sslmate1.list

wget -O /etc/apt/trusted.gpg.d/sslmate.gpg https://sslmate.com/apt/ubuntu1404/sslmate.gpg

apt-get update

apt-get install sslmate

RHEL/CentOS/SL (6, 7, and 8)

Prerequisite: the wget and ca-certificates packages must be installed.

wget -O /etc/yum.repos.d/SSLMate1.repo https://sslmate.com/yum/centos/SSLMate1.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-SSLMate https://sslmate.com/yum/centos/RPM-GPG-KEY-SSLMate

yum install sslmate

Amazon Linux 1

Prerequisite: the wget and ca-certificates packages must be installed.

wget -O /etc/yum.repos.d/SSLMate1.repo https://sslmate.com/yum/amzn1/SSLMate1.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-SSLMate https://sslmate.com/yum/amzn1/RPM-GPG-KEY-SSLMate

yum install sslmate

Amazon Linux 2

Prerequisite: the wget and ca-certificates packages must be installed.

wget -O /etc/yum.repos.d/SSLMate1.rep https://sslmate.com/yum/amzn2/SSLMate1.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-SSLMate https://sslmate.com/yum/amzn2/RPM-GPG-KEY-SSLMate

yum install sslmate

Amazon Linux 2023

wget -O /etc/yum.repos.d/SSLMate1.rep https://sslmate.com/yum/amzn2023/SSLMate1.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-SSLMate https://sslmate.com/yum/amzn2023/RPM-GPG-KEY-SSLMate

yum install sslmate

Fedora (27+)

Prerequisite: the wget and ca-certificates packages must be installed.

wget -O /etc/yum.repos.d/SSLMate1.rep https://sslmate.com/yum/fedora/SSLMate1.repo

wget -O /etc/pki/rpm-gpg/RPM-GPG-KEY-SSLMate https://sslmate.com/yum/fedora/RPM-GPG-KEY-SSLMate

yum install sslmate

Other

1. Download sslmate-latest.tar.gz and extract:

tar xzvf sslmate-latest.tar.gz

cd sslmate-VERSION

2. Install dependencies:

cpan URI Term::ReadKey JSON::PP

3. Install SSLMate to /usr/local/bin:

make install

Or, install to a custom prefix:

make install PREFIX=/path/to/directory

2. Buy a Certificate

To buy a new certificate, run the following command and follow the prompts:

sslmate buy DOMAIN

DOMAIN is the hostname or wildcard domain that you need the certificate to secure, such as example.com, www.example.com, subdomain.example.com, or *.example.com.

If you need to secure multiple hostnames or wildcard domains, you can specify them as multiple arguments to sslmate buy.

You will be required to prove that you are authorized to obtain a certificate for each DOMAIN, by responding to an email, publishing a DNS record, or configuring your web server. For more information, including how to automate this process, see the certificate approval documentation.

For advanced purchasing options, see the buy documentation.

3. Configure Your Server Software (Apache, nginx, etc.)

By default, SSLMate stores keys and certificates in the /etc/sslmate directory. You should configure your server software to refer to keys and certificates in /etc/sslmate instead of moving these files to a different directory. Keeping keys and certificates in their standard SSLMate location will make automated renewals work more smoothly.

SSLMate creates four files for every certificate:

  • example.com.key - the private key
  • example.com.crt - the certificate
  • example.com.chain.crt - the certificate chain (aka intermediate cert)
  • example.com.chained.crt - concatenation of the certificate and the chain

You need to configure your server software with the private key file (.key) and some combination of the .crt files. Some software requires you to specify the certificate (.crt) and the chain (.chain.crt) in separate files, while other software requires you to specify both in a single file (.chained.crt). Consult your software's documentation, or use the config guide below.

Choose your software:

Apache

SSLEngine on SSLCertificateKeyFile /etc/sslmate/example.com.key SSLCertificateFile /etc/sslmate/example.com.chained.crt

Apache (with recommended security settings)

SSLEngine on SSLCertificateKeyFile /etc/sslmate/example.com.key SSLCertificateFile /etc/sslmate/example.com.chained.crt # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off # Enable this if you want HSTS (recommended) # Header add Strict-Transport-Security "max-age=15768000"

nginx

ssl on; ssl_certificate_key /etc/sslmate/example.com.key; ssl_certificate /etc/sslmate/example.com.chained.crt;

nginx (with recommended security settings)

ssl on; ssl_certificate_key /etc/sslmate/example.com.key; ssl_certificate /etc/sslmate/example.com.chained.crt; # Recommended security settings from https://wiki.mozilla.org/Security/Server_Side_TLS ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_dhparam /usr/share/sslmate/dhparams/dh2048-group14.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:5m; # Enable this if you want HSTS (recommended) # add_header Strict-Transport-Security max-age=15768000;

Lighttpd

ssl.engine = "enable" ssl.pemfile = "/etc/sslmate/example.com.combined.pem"

Lighttpd (with recommended security settings)

ssl.engine = "enable" ssl.pemfile = "/etc/sslmate/example.com.combined.pem" # Recommended ciphers from https://wiki.mozilla.org/Security/Server_Side_TLS ssl.cipher-list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS" ssl.honor-cipher-order = "enable" # lighttpd >= 1.4.29 only: #ssl.dh-file = /usr/share/sslmate/dhparams/dh2048-group14.pem" # lighttpd < 1.4.21 only: #ssl.use-sslv2 = "disable" # lighttpd >= 1.4.29 only: #ssl.use-sslv3 = "disable"

stunnel

key = /etc/sslmate/example.com.key cert = /etc/sslmate/example.com.chained.crt

stunnel (with recommended security settings)

key = /etc/sslmate/example.com.key cert = /etc/sslmate/example.com.chained.crt ; Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS options = NO_SSLv2 options = NO_SSLv3 options = CIPHER_SERVER_PREFERENCE options = NO_COMPRESSION ciphers = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

titus

key /etc/sslmate/example.com.key cert /etc/sslmate/example.com.chained.crt

titus (with recommended security settings)

key /etc/sslmate/example.com.key cert /etc/sslmate/example.com.chained.crt # Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Dovecot 2

ssl_key = </etc/sslmate/example.com.key ssl_cert = </etc/sslmate/example.com.chained.crt

Dovecot 2 (with recommended security settings)

ssl_key = </etc/sslmate/example.com.key ssl_cert = </etc/sslmate/example.com.chained.crt # Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS # Note: ssl_dh_parameters_length is only available in Dovecot 2.2.7 and higher: ssl_dh_parameters_length = 2048

Postfix

smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_key_file = /etc/sslmate/example.com.key smtpd_tls_cert_file = /etc/sslmate/example.com.chained.crt

Postfix (with recommended security settings)

smtp_tls_security_level = may smtpd_tls_security_level = may smtpd_tls_key_file = /etc/sslmate/example.com.key smtpd_tls_cert_file = /etc/sslmate/example.com.chained.crt # Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_mandatory_ciphers = high smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 smtp_tls_mandatory_ciphers = high tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS smtpd_tls_dh1024_param_file = /usr/share/sslmate/dhparams/dh2048-group14.pem

Prosody

ssl = { key = "/etc/sslmate/example.com.key"; certificate = "/etc/sslmate/example.com.chained.crt"; }

Prosody (with recommended security settings)

ssl = { key = "/etc/sslmate/example.com.key"; certificate = "/etc/sslmate/example.com.chained.crt"; -- Recommended security settings adapted from https://wiki.mozilla.org/Security/Server_Side_TLS options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; ciphers = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; -- Note: dhparam is only available in Prosody 0.9.1 and higher: dhparam = "/usr/share/sslmate/dhparams/dh2048-group14.pem"; }

Remember to restart your server software after changing its configuration. Note that Apache must be fully restarted after changing certificate configuration; a reload is not sufficient.

4. Test Your Server

After configuring your server, you can use the sslmate test command to make sure that your certificate has been properly installed:

sslmate test DOMAIN

5. Set Up Automated Renewals

After buying a certificate, you may want to set up your server to periodically download new versions of the certificate. Then, when the certificate auto-renews, your server will automatically get the renewed certificate.

The best way to do this is to set up a daily cron job that runs sslmate download. If sslmate download exits with status 0, new certificates were downloaded and you should restart your server software so that it loads the updated certificate files.

  1. Create a config file in /etc/sslmate.conf containing your API credentials.

  2. Create a cron script, /etc/cron.daily/sslmate, that downloads the latest certificates and restarts your web server. In the following example, Apache is restarted. You should adapt this example to use the appropriate command for restarting your web server.

    #!/bin/sh if sslmate download --all > /dev/null then # Replace the following line with the command to restart your web server: service apache2 restart > /dev/null fi
  3. Make your cron script executable by running: chmod +x /etc/cron.daily/sslmate

Note:

  • If you installed sslmate by hand in a non-standard location, make sure to specify the full path to sslmate.
  • Remember, sslmate puts certs in /etc/sslmate by default, so make sure your server software reads certs from this location!
  • Double-check your certificate console to make sure your certificate is set to auto-renew (this is the default).

6. Learn More

Check out our extensive help section, run sslmate help, or consult the sslmate(1) man page to learn about the other features of SSLMate.