Introduction
This documentation applies to the Basic SSLMate service. If you are using SSLMate for SaaS, please see the APIv3 reference instead.
The SSLMate API is centered around REST principles. Requests are made to predictable, resource-oriented URLs using standard HTTP verbs and HTTP authentication. Request arguments are encoded as key/value pairs in standard HTTP form encoding (application/x-www-form-urlencoded), and are passed in either the query string (for GET requests) or in the request body (for POST requests). All responses, including errors, are JSON. Requests and responses use the UTF-8 character encoding.
SSLMate will only make backwards-compatible changes to this API endpoint (e.g. adding new requests, adding new attributes to responses, adding new optional arguments to requests). Backwards-incompatible changes will be avoided if at all possible, but should such a change become necessary, SSLMate will create a new API endpoint with a higher version number, and preserve the old API endpoint for at least 12 months following the introduction of the new endpoint.
You may want to consult the cookbook of common operations for guidance on how to purchase, renew, and reissue a certificate.
Feel free to get in touch if you have any questions or need help using the API. SSLMate is happy to help!
API Endpoint
Authentication
You authenticate to the SSLMate API by providing either your username and password, or your API key, which can be found on your account page. Your API key has almost complete access to your account, so you should keep it secret.
Authentication uses HTTP Basic Auth. When authenticating with your API key, provide the key as the basic auth username and leave the password empty.
Authenticating with your API key is equivalent to authenticating with your username and password.
Example Request
Sandbox
To facilitate testing, SSLMate operates a sandbox website at https://sandbox.sslmate.com, with its own API endpoint (shown to the right). Purchases made on the sandbox website are free and certificates are signed by an untrusted testing certificate authority.
The sandbox website uses its own user account database, so you must sign up for a separate account on the sandbox site. Your sandbox API credentials are available on your account page on the sandbox site.
Sandbox API Endpoint
Errors
SSLMate uses standard HTTP response codes to indicate the success or failure of an API request. Codes in the 2xx range indicate success, codes in the 4xx range indicate an error with the request, and codes in the 5xx range indicate an error with SSLMate's servers.
The following JSON object is returned by the server for any unsuccessful request:
Attributes
| reason string | A short machine-readable code that describes the error. The code for a particular error is guaranteed not to change. |
|---|---|
| message string | A human-readable message. The value of this attribute is only suitable for human consumption; the exact wording of messages may change without notice. For a machine-readable code, use the reason attribute. |
| param string | The name of the request parameter that was invalid. Only present if the error is parameter-specific. |
| retry_after integer | Number of seconds after which to retry the request. If this attribute is present, the client should only retry the request after this many seconds have elapsed. |
Example Error
Expanding objects
Some objects contain attributes marked "expandable." These attributes are not
included in responses by default, but can be included by passing the
name of the attribute in the expand parameter to the query
string of the request.
The expand parameter is available for all API requests, and applies to
the response to that request only. You can expand attributes of nested objects
using the dot character. For example, expanding current.crt on a certificate
object will expand the current attribute into a full certificate instance, and
then expand the crt attribute of that certificate instance into a full certificate
string.
You can expand multiple attributes by specifying the expand parameter multiple
times. Note that the expand parameter is always passed in the query string,
even for POST requests.
Example Request
Certificates and Certificate Instances
The SSLMate API is centered around two types of objects: certificates and certificate instances.
Certificate objects specify the desired properties (e.g. CSR, approval method) for a particular host's certificate. Certificate instances represent a specific instantiation of a certificate and are created when a certificate is bought or reissued. There is a one-to-many relationship between certificates and certificate instances. For example, the certificate for www.example.com might contain three instances: one instance that was created when the cert was bought on March 10, 2014, a second instance that was created when the cert was reissued on April 8, 2014, and a third instance that was created when the cert was bought again (for renewal) on March 10, 2015.
Certificate instances are created when you buy or reissue a certificate object. The new certificate instance will use the details (CSR, approval method, etc.) of the certificate object at the time of the purchase/reissue. To purchase a brand-new certificate, you would first create a certificate object with the desired CSR and approval details, and then buy the certificate. The signed X509 certificate will be stored in the newly-created certificate instance (once approved).
Certificate instances are immutable. To reissue a certificate with a new key, you would not modify a particular instance, but rather update the CSR of the certificate object, and then reissue that certificate object, creating a new certificate instance corresponding to the new CSR/key. Changing the attributes of a certificate object does not affect any existing instances.
Certificates
The certificate object
Attributes
| exists boolean | Whether a certificate with this common name exists in your account. Read-only |
|---|---|
| cn string | The common name. Read-only |
| wildcard boolean | Read-only |
| dn object | JSON object describing the distinguished name (DN) of this certificate, to be used when generating a CSR. Each element of the hash corresponds to different attribute of the DN. Read-only |
| auto_renew boolean | If true, the certificate will be automatically renewed prior to expiration. Note: automatic renewal requires you to use HTTP or DNS approval, and to integrate your HTTP server or DNS provider with SSLMate, as described in the approval documentation. |
| muted boolean | If true, expiration reminders are not sent. |
| approval_method string or null | How domain control is verified: "email", "http", or "dns". null if and only if exists is false. |
| approver_email string | The email address to which domain validation emails should be sent. This attribute is present if and only if approval_method is "email". |
| http_approval object | This attribute is deprecated. To approve a certificate using HTTP, please set up an HTTP approval integration with your web server. |
| dns_approval object | An approval object with DNS options describing how to approve this certificate over DNS. This attribute is present if and only if approval_method is "dns". |
| type string or null | The type of the certificate: "dv" or "ev". Changing this attribute only affects future renewals and purchases. The current active instance does not change type. null if and only if exists is false. |
| sans array or null |
An array of SAN (subject alternative name) objects representing the additional subject alternative names of this certificate. If null, SSLMate uses default SANs. Only the additional SANs are present in this array; since SSLMate always adds a SAN for the common name it is not included here.
When creating or updating a certificate, the |
| tags array |
An array of strings representing user-defined tags for this certificate object.
When creating or updating a certificate, the |
| csr string | PEM-encoded CSR in PKCS#10 format. Guaranteed to have a trailing newline character. Only present if expanded. |
| pubkey_hash string or null | The SHA-256 hash of the CSR's DER-encoded public key, encoded in lowercase hex. null if and only if exists is false. Read-only |
| current_download string or null | A public URL from which you can download the current certificate instance, plus chain, as a sequence of PEM-encoded X.509 certificates. The URL stays the same even as the current certificate instance changes and does not require authentication. If the certificate doesn't have a current certificate instance, the URL returns an empty response with HTTP code 202. null if and only if exists is false. Read-only |
| current object | The current active certificate instance for this certificate, if one exists. Only present if expanded. |
| pending object | The current pending certificate instance for this certificate, if one exists. Only present if expanded. |
Example certificate
Create/update a certificate
Given a common name, create or update the certificate object for that common name.
If a certificate with this common name already exists in your account, then all arguments are optional in the request. Only the certificate attributes specified in the request are updated; all others keep their current values.
If no certificate with this common name exists in your account, one will be created, in which case all the arguments marked "required for new certs" must be specified.
Arguments
| csr | PEM-encoded CSR in PKCS#10 format. Required for new certs. See the Generating CSRs section for more information about CSRs. |
|---|---|
| approval_method | "email", "http", or "dns". Required for new certs. |
| approver_email | Email address for email approval. Required for new certs if approval_method is "email". |
| type | Type of certificate. Defaults to "dv" for new certs. |
| sans |
Either the string "null" or a string containing a JSON array of SAN (subject alternative name) objects representing the additional subject alternative names of this certificate. Defaults to "null" for new certs, which means the default SANs will be used. After changing the SANs of an existing certificate object, you must reissue the certificate to issue a certificate with the updated SANs. Do not include a SAN for the common name in this array. SSLMate always adds a SAN for the common name so it doesn't need to be included here. |
| auto_renew | If true, the certificate will be automatically renewed prior to expiration. |
| muted | If true, expiration reminders are not sent. |
| tags | A string containing a JSON array of strings representing user-defined tags for this certificate object. |
| tags.TAGNAME | Add (by specifying a value of 1) or remove (by specifying a value of 0) the user-defined tag named TAGNAME. |
Returns
Returns a certificate object if the request was valid, and returns an error otherwise.
Definition
Example Request
Example Response
See certificate object.
Buy a certificate
Purchase and issue a certificate instance for the certificate object with the given common name. A new certificate instance will be created using the type, approval_method, approver_email, and csr of the certificate object. Therefore, you must have already created or updated the certificate object with the desired parameters. Your account will be charged for the purchase, and the expiration date of the new certificate instance will be one year from today's date.
Arguments
| invoice_note | A custom note to be included with the invoice for this purchase. |
|---|---|
| email_invoice_to | Email address to which a copy of the invoice should be sent. |
Returns
Returns the newly-created certificate instance object if the purchase succeeds, and returns an error otherwise.
The certificate instance will be in the pending state until it is approved. You should poll for the certificate instance until it becomes active, as described under Retrieve a certificate instance.
Definition
Example Request
Example Response
Reissue a certificate
Reissue a certificate instance for the certificate object with the given common name. A new certificate instance will be created using the type, approval_method, approver_email, csr, and sans of the certificate object. The new certificate instance will have the same expiration date as the certificate's current active instance. An active, non-expired certificate instance must exist for this certificate.
There are two scenarios when you would want to reissue a certificate:
- You need to rekey because a key has been lost or compromised. To rekey, you should first update the certificate object with a new CSR for the new key, and then make a reissue request. There is no charge for the rekey.
- You need to add or remove SANs. You should first update the certificate object with a new sans array, and then make a reissue request. You will be charged for any net increase in SANs.
Returns
Returns the newly-created certificate instance object if the reissue succeeds, and returns an error otherwise.
The certificate instance will be in a pending state until it is approved. You should poll for the certificate instance until it becomes active, as described under Retrieve a certificate instance.
Definition
Example Request
Example Response
Redo certificate approval
Redo certificate approval for the given certificate's pending instance, using the approval settings from the certificate object. If using email approval, the email will be (re-)sent. If using HTTP approval, the file will be (re-)fetched. If using DNS approval, the DNS record will be (re-)checked.
This request can be used if you have changed a certificate's approval details while an instance was pending and you would like to use the new details to approve the pending instance, or if the first attempt at approval failed and you need to try again.
The certificate must have a pending instance for this request to succeed.
Returns
Returns the certificate's pending certificate instance object if the action succeeds, and returns an error otherwise.
Definition
Example Request
Example Response
Revoke a certificate
Revoke one or more certificate instances for the certificate object with the given common name.
By default, all certificate instances except for the active one are revoked. If the
all argument is true, even the active instance is revoked.
See the general documentation on revoking for more
information.
Arguments
| all | If "true", all certificate instances are revoked, even the active instance. See the documentation on revoking for a warning about revoking all instances. |
|---|
Returns
Returns the following object if the revoke succeeded, and returns an error otherwise.
Attributes
| status string | "pending" if the revocation is pending, or "revoked" if the revocation has completed. |
|---|---|
| num_revoked integer | The number of instances that have been revoked. |
| num_active integer | The number of instances that are still active. |
| num_imported integer | The number of instances that could not be revoked because they were imported. |
Definition
Example Request
Example Response
Test a certificate
Test the installation of the given certificate by conducting a TLS handshake with one or more hosts (by default, the common name of the certificate is used as the hostname) and checking that the active certificate instance is served correctly.
Arguments
| hostname | The hostname or IP address to test. Argument be specified more than once to test multiple hosts. Defaults to all valid hostnames of the certificate (common name plus subjectAltNames). |
|---|---|
| port | The port number to test. Defaults to 443 (HTTPS). |
Returns
Returns the following object if you have an active certificate in your account with this common name, and returns an error otherwise.
Attributes
| result array | An array of test result objects, one per host tested. If a hostname resolves to multiple IPv4 or IPv6 addresses, they will all be tested and returned in separate test results. |
|---|
The test result object
Attributes
| hostname string | The hostname to which this result applies. |
|---|---|
| ip_address string | The IPv4 or IPv6 address to which this result applies. |
| status string | One of: "conclusive" (the test produced a conclusive result), "connect_error" (could not connect to this host), "handshake_error" (TLS handshake failed), or "internal_error". |
| correct bool | True if and only if the correct certificate was served. This attribute is present if and only if status is "conclusive". |
| chained bool | True if and only if the correct certificate chain was served. This attribute is present if and only if status is "conclusive". |
| dummy bool | True if and only if the the certificate was a temporary certificate. This attribute is present if and only if status is "conclusive". |
| error string | A human-readable error message. This attribute is present if and only if status is not "conclusive". |
Definition
Example Request
Example Response
Retrieve a certificate
Given a common name, return the certificate object for that common name.
If no certificate with this common name exists in your account, the exists
attribute in the returned object will be false.
Returns
Returns a certificate object if a valid common name was provided, and returns an error otherwise.
Definition
Example Request
Example Response
See certificate object.
Certificate instances
The certificate instance object
Attributes
| id integer | Unique ID. Read-only |
|---|---|
| state string |
pending, active, expired, revoked, or canceled. Read-only
|
| expiring boolean | This certificate is active but expiring imminently. Read-only |
| source string | Either "sslmate" (purchased from SSLMate) or "import" (imported to SSLMate). Read-only |
| type string or null | The type of this certificate (e.g. "dv"). May be null only if this certificate is imported. Read-only |
| sans array or null | An array of SAN (subject alternative name) objects representing the subject alternative names of this certificate instance. Null if the certificate instance uses the default SANs. |
| pubkey_hash string | The SHA-256 hash of this certificate's DER-encoded public key, encoded in lowercase hex. Read-only |
| sha1_fingerprint string or null | The SHA-1 hash (in lowercase hex) of the DER-encoded certificate. Read-only |
| sha256_fingerprint string or null | The SHA-256 hash (in lowercase hex) of the DER-encoded certificate. Read-only |
| expiration timestamp or null | The expiration time of this certificate, as a UNIX timestamp (number of seconds since January 1, 1970). Read-only |
| csr string | PEM-encoded CSR in PKCS#10 format. Guaranteed to have a trailing newline character. Only present if expanded. Read-only |
| crt string | PEM-encoded X509 certificate. Guaranteed to have a trailing newline character. Only present if expanded. Read-only |
| chain array | An array of zero or more PEM-encoded X509 certificates that form the intermediate certificate chain for this certificate. The first certificate in the chain issued this certificate, and the last certificate in the chain was issued by a root certificate. The root certificate itself is not included. Each certificate is terminated with a newline character. Only present if expanded. Read-only |
| root string | The PEM-encoded X509 root certificate (the issuer of the last certificate in the chain, or of this certificate if the chain is empty). Guaranteed to have a trailing newline character. Only present if expanded. Read-only |
| invoice_id string or null | Invoice ID for the purchase of this certificate. Null if no invoice was issued for the certificate, which can happen if the cert was free or imported. Read-only |
| approval_method string or null | How domain control was verified. Null for imported certs. Read-only |
| approver_email string | The email address used to approve the certificate. Applicable if and only if approval_method is "email". Read-only |
| approval_email_from string | The email address from which the approval email was sent. Applicable if and only if approval_method is "email". Read-only |
Example certificate instance
Retrieve a certificate instance
Retrieve a certificate instance object for the certificate object with the given common name.
Instances can be retrieved either by their unique instance ID, or by the value of their
pubkey_hash attribute. If a certificate has more than one instance
with the requested pubkey_hash, then the most recent active instance
is returned.
Arguments
| poll | If this argument is specified, and the certificate instance is pending, the server will wait until the certificate instance is no longer pending before returning a result. The server will wait at most the number of seconds specified by the poll argument, but may return sooner even if the certificate instance is still pending. The client should be prepared to retry the request. |
|---|
Returns
Returns a certificate instance object if the
requested certificate instance exists, and returns an error otherwise.
If the poll argument was specified, and the certificate instance is still pending, a 412 Precondition
Failed error is returned. The error object's retry_after attribute will be set, and the client must not
retry the request until after this many seconds have elapsed.
Definition
Example Request
Example Response
DNS Approval Objects
The DNS approval object describes how a certificate can be approved with DNS. DNS approval works by publishing a DNS record of a specific type with a specific name and value. If you have integrated your SSLMate account with your DNS provider, then you can ignore the approval objects returned by the API. Simply specify "dns" approval when creating the certificate object, and SSLMate will provision the DNS record for you.
DNS approval objects are found in the dns_approval
attributes of certificate objects
and SAN objects.
Attributes
| options array | An array of DNS approval option objects, any of which can be used to approve the certificate. Read-only |
|---|
Example DNS approval object
The DNS approval option object
Describes the DNS record which you must publish to approve the certificate. The record must be of the given type, have the given name, and resolve to the given value.
Attributes
| name string | The fully-qualified name of the DNS record that must be published. Read-only |
|---|---|
| type string | The type of the DNS record (e.g. NS or CNAME) that must be published. Read-only |
| value string | The value of the DNS record that must be published. For TXT records, the value will contain the necessary quote characters; do not add your own. Read-only |
Example DNS approval option
Subject Alternative Names (SANs)
A SAN object describes the additional subject alternative name of a certificate. Only the additional SANs are represented by a SAN object; SSLMate always implicitly adds a SAN for the common name.
SAN objects are found in the sans array
attribute of certificate
and certificate instance
objects. If the sans attribute is null, SSLMate adds
a set of default SANs to the
certificate.
To create a certificate with non-default SANs, pass a string containing a JSON array of SAN objects
in the sans argument when creating the certificate.
To change an existing certificate's SANs, pass a string containing a JSON array of SAN objects
in the sans argument to the certificate update
endpoint. Then, reissue the certificate to issue a certificate
with the updated SANs.
The SAN object
Attributes
| type string | The type of name. Currently only "dns" is supported. Read-only |
|---|---|
| value string | The name itself. In the case of "dns" SANs, this is the hostname. Read-only |
| approval_method string | How control over the name is verified: "email", "http", or "dns". |
| approver_email string | The email address to which domain validation emails should be sent. This attribute is present if and only if approval_method is "email". |
| http_approval object | This attribute is deprecated. To approve a certificate using HTTP, please set up an HTTP approval integration with your web server. Read-only |
| dns_approval object | An approval object with DNS options describing how to approve this certificate over DNS. This attribute is present if and only if approval_method is "dns". Read-only |
Example SAN
Default SANs
If a certificate's sans attribute is null, SSLMate adds an automatic
SAN using the below logic:
-
If the common name starts with
www., SSLMate adds a SAN that is formed by removing thewww.prefix. -
If the common name starts with
*., SSLMate adds a SAN that is formed by removing the*.prefix. -
Otherwise, SSLMate adds a SAN that is formed by prefixing
www.to the common name.
The automatically-added SAN uses the same approval method as the common name.
If you don't want your certificate to have the automatically-added SAN,
set the sans attribute to the empty array.
Webhook
You can configure SSLMate to POST a certificate object,
with current.crt and current.chain expanded,
when a certificate is issued.
Visit your webhooks page to add a webhook endpoint.
Generating CSRs
The SSLMate API accepts and returns CSRs in PEM-encoded PKCS#10 format. CSRs must
correspond to an RSA key of 2048, 3072, or 4096 bits, or to an ECDSA key on the
NIST P-256 (secp256r1 / prime256v1) or NIST P-384 (secp384r1) curves. The CSR's
distinguished name must contain the certificate's common name in the CN attribute, and a
valid two-letter ISO country code (e.g. US) in the C attribute.
To programmatically generate a private key and a corresponding CSR for use with a
certificate object, the following
openssl command can be used:
openssl req -new -newkey rsa:2048 -nodes -subj /C=US/CN=COMMON_NAME -keyout KEYFILE
Replace COMMON_NAME with the certificate object's common name. The CSR will be written to standard out, which you should upload to SSLMate when creating or updating the certificate object. The private key will be saved to a file named KEYFILE.
You can also generate a private key and CSR using the sslmate req command (from the SSLMate client) as follows:
sslmate req --key-file=KEYFILE --csr-file=CSRFILE COMMON_NAME
The private key and CSR will be written to KEYFILE and CSRFILE, respectively. Either or both filenames may be - to write to standard out.
sslmate req is a standalone command that works without contacting SSLMate servers.
Cookbook of Common Operations
Buying a certificate
- If using HTTP approval, set up an HTTP approval integration for every hostname you need in the certificate.
- Generate a key and CSR.
- Create a certificate object with the CSR generated in step 2, and the desired approval method.
- If using DNS approval, and you haven't set up a DNS integration, publish the DNS record as described by the
dns_approvalattribute of the certificate object (as well as every SAN object, if using a multi-hostname certificate) returned in step 3. See the section on approval objects for details. -
Buy the certificate. Make note of the
idattribute of the returned certificate instance object. - If using email approval, you must now respond to the email sent to the address specified in the
approver_emailattribute of the certificate object (as well as every SAN object, if using a multi-hostname certificate). -
Retrieve the certificate instance with the ID of the certificate instance object returned in step 5, repeating as necessary until the certificate instance's
statebecomesactive. (This typically takes 30-60 seconds. You can use thepollargument to long-poll.) When retrieving the certificate instance, ask for thecrtandchainattributes to be expanded. Once the instance is active, you will find the X509 certificate in thecrtattribute, and the chain certificate(s) in thechainattribute.
Renewing a certificate
If a certificate's auto_renew attribute is false, then complete steps 4 through 7 of "Buying a certificate" above. There is no need to generate a new CSR or update the existing certificate object.
If a certificate's auto_renew attribute is true and you have
integrated your HTTP server or DNS provider with SSLMate as described in
the approval documentation, then SSLMate will automatically request a new certificate for you before the current certificate expires.
Once issued, the new certificate instance will be available under the current
attribute of the certificate object.
You can also receive the new certificate via a webhook.
Rekeying a certificate
- Generate a new key and CSR.
- Update the certificate object with the CSR generated in step 1.
- If using DNS approval, and you haven't set up a DNS integration, publish the DNS record as described by the
dns_approvalattribute of the certificate object (as well as every SAN object, if using a multi-hostname certificate) returned in step 2. See the section on approval objects for details. -
Reissue the certificate. Make note of the
idattribute of the returned certificate instance object. - Complete steps 6 through 7 of "Buying a certificate" above.