This documentation applies to the SSLMate for SaaS service. If you are using SSLMate Basic, please see the SSLMate 1 CLI reference instead.

SSLMate 2 CLI Reference

Name

sslmate — Acquire and manage SSL/TLS certificates

Synopsis

sslmate [OPTIONS…] COMMAND [ARGS…]

DESCRIPTION

sslmate is the command line client for SSLMate (https://sslmate.com), a service for acquiring and managing SSL/TLS certificates in an easy and automated manner.

To use the sslmate command, you must create a free account at https://sslmate.com.

SUB-COMMANDS

sslmate is logically divided into sub-commands which perform distinct tasks. Each sub-command, and its arguments, are documented below. Note that arguments and options to sub-commands must be specified on the command line after the name of the sub-command.

OREDR MANAGEMENT

The following sub-commands are used to manage (add, modify, display) orders in your SSLMate account:

sslmate add [OPTIONS…] HOSTNAME

Add an order to your account with the given HOSTNAMEs as identifiers. Each HOSTNAME will be added as a DNS Subject Alternative Name (SAN) in the certificate. The first HOSTNAME will be used as the certificate’s common name.

The following options are understood:

--approval http|dns|EMAIL_ADDRESS
Use the given approval method for approving the order’s identifiers. Each identifier in an order has to be approved by an authorized domain administrator before certificates can be issued. With "http" approval, you must configure the web server for each identifier to proxy /.well-known/pki-validation and /.well-known/acme-challenge to SSLMate. SSLMate will check that the proxying is in place, and if so, approve the identifier. With "dns" approval, you must add a specific DNS record to your domain for each identifier. SSLMate must be configured to integrate with a supported DNS provider, such as Route 53 or DNSimple. Alternatively, you can specify an authorized administrative email address. The certificate authority will send an email to the address with a link you must follow to approve the identifier. Email approval is discouraged because it cannot be automated. By default, the approval method applies to all identifiers. To specify a different method for a particular identifier, specify an option of the form --approval HOSTNAME=http|dns|EMAIL_ADDRESS. This option is mandatory.
--cluster CLUSTER_NAME
Make this order managed by the given cluster. When an order is managed, it means that the private key and certificate will be automatically generated and distributed among members of the cluster. A cluster may be a group of servers running sslmate-agent(8), or a group of load balancers at a provider such as AWS or Google Cloud. If this option is not supplied, the order is unmanaged. You will need to manually generate a key using the sslmate key add command.
--name NAME
Configure the order’s name. The name is used internally to refer to the order on the command line, in configuration files, and in the REST API. It will not be part of the actual certificate. By default, the first identifier is used as the name.
sslmate edit OPTIONSORDER_NAME

Change one or more setting of the given order. The settings are specified by the OPTIONS arguments, as described below. Every option is optional; if omitted, the setting is left unchanged.

--approval http|dns|EMAIL_ADDRESS
Change the approval method for this order. The new method will be used for approving future reissues and renewals. If any certificates are currently pending approval, the approval process will be re-initiated. For more information about approval methods, see the documentation for sslmate add. By default, the approval method applies to all identifiers. To specify a different method for a particular identifier, specify an option of the form --approval HOSTNAME=http|dns|EMAIL_ADDRESS.
--add-identifier HOSTNAME, --rm-identifier HOSTNAME
Add or remove the given hostname identifier to or from this order. If the order is managed, a new certificate will be automatically requested with the changed identifiers. If the order is unmanaged, use sslmate reissue to request a new certificate. If there is a net increase in the number of identifiers, your account will be charged for the new names in accordance with the product’s pricing structure. You can specify these options more than once to add/remove multiple identifiers at the same time. For convenience, the shortened options --add-id and --rm-id are also accepted. For backwards compatibility with sslmate 1, the options --add-name and --rm-name are accepted, but may be removed in a future version of sslmate.
--cluster CLUSTER_NAME
Configure the order to be managed by the given cluster. See the documentation for sslmate add for details.
--no-cluster
Remove the order from its cluster, making it unmanaged. See the documentation for sslmate add for details.
sslmate list
List the orders in your SSLMate account.
sslmate show ORDER_NAME
Show information about the given order.

CLUSTER MANAGEMENT

The following sub-commands are used to manage the clusters in your SSLMate account:

sslmate clusters add NAME

Add a cluster named NAME to your account.

The output of this command will be a configuration snippet which you should paste into the sslmate-agent.conf(5) file on every server which you want to be a member of the cluster.

Warning: The output of this command contains a secret which you must protect. If you lose it, you will have to create a new cluster; SSLMate support cannot recover it.

sslmate clusters rm CLUSTER_NAME
Remove the given cluster from your account.
sslmate clusters list
List the clusters in your account.
sslmate clusters show CLUSTER_NAME
Show information about the given cluster.

MISCELLANEOUS COMMANDS

sslmate version
Display the currently-installed version of sslmate.
sslmate help [COMMAND]
Display help for the given COMMAND, or an overview of all commands if no command is specified.

GLOBAL OPTIONS

The following options are understood by sslmate and can be used with any sub-command. Since they apply globally to sslmate, they must be specified on the command line before the sub-command name.

-p PROFILE, --profile PROFILE
Use the given configuration profile, instead of the default. If this option is specified, the string "-PROFILE" will be appended to the paths of the configuration file, the state directory, and default key and certificate directories. For example, if --profile company is used, the configuration file will be /.sslmate-company, the state directory will be /.sslmate.d-company, and the default key/certificate directory will be /etc/sslmate-company, instead of /.sslmate, /.sslmate.d, and /etc/sslmate. This option is intended for those who need to manage several different SSLMate accounts from a single host, since each configuration file can contain distinct SSLMate API credentials.

CONFIGURATION

Upon startup, sslmate reads configuration from ~/.sslmate. This file should contain one configuration option per line of the form NAME VALUE. Blank lines and lines starting with # are ignored. The location of your personal configuration file can be changed by setting the $SSLMATE_CONFIG environment variable or using the --profile option.

The following options are understood:

api_key KEY
Your API key, which can be found on your online SSLMate account page (https://sslmate.com/account). This option is mandatory.
api_endpoint URI
The URI to the SSLMate API endpoint. This option only needs to be changed if you are using the SSLMate sandbox.

For backwards compatibility with SSLMate 1, sslmate also reads options from /etc/sslmate.conf. Options in ~/.sslmate override options set in /etc/sslmate.conf. Use of /etc/sslmate.conf is discouraged.

ENVIRONMENT VARIABLES

SSLMATE_CONFIG
The path to your configuration file. Defaults to $HOME/.sslmate (with profile suffix appended if --profile option is used).
SSLMATE_DIR
The path to your state directory. Defaults to $HOME/.sslmate.d (with profile suffix appended if -profile option is used).

SEE ALSO

sslmate-agent(8)

Get Started with SSLMate Today

Buy a new certificate, or import your existing certs for free.

Click to sign up