Skip to content

SSLMate 2 CLI Reference


sslmate — Acquire and manage SSL/TLS certificates




sslmate is the command line client for SSLMate (, a service for acquiring and managing SSL/TLS certificates in an easy and automated manner.


sslmate is logically divided into sub-commands which perform distinct tasks. Each sub-command, and its arguments, are documented below. Note that arguments and options to sub-commands must be specified on the command line after the name of the sub-command.


The following sub-commands are used to manage (add, modify, display) orders in your SSLMate account:

sslmate add [OPTIONS…] DNSNAME

Add an order to your account for a certificate with the given DNS names. Each DNSNAME will be added as a DNS Subject Alternative Name (SAN) in the certificate. The first DNSNAME will be used as the certificate’s common name.

The following options are understood:

--cluster CLUSTER_NAME
Make this order managed by the given cluster. When an order is managed, it means that the private key and certificate will be automatically generated and distributed among members of the cluster. A cluster may be a group of servers running sslmate-agent(8), or a group of load balancers at a provider such as AWS or Google Cloud. If this option is not supplied, the order is unmanaged. You will need to manually generate a key using the sslmate key add command.
--name NAME
Configure the order’s name. The name is used internally to refer to the order on the command line, in configuration files, and in the REST API. It will not be part of the actual certificate. By default, the first DNS name is used as the order name.

Change one or more setting of the given order. The settings are specified by the OPTIONS arguments, as described below. Every option is optional; if omitted, the setting is left unchanged.

--add-dnsname DNSNAME, --rm-dnsname DNSNAME
Add or remove the given DNS name to or from this order. If the order is managed, a new certificate will be automatically requested with the changed identifiers. If the order is unmanaged, use sslmate reissue to request a new certificate. If there is a net increase in the number of identifiers, your account will be charged for the new names in accordance with the product’s pricing structure. You can specify these options more than once to add/remove multiple identifiers at the same time. For backwards compatibility with sslmate 1, the options --add-name and --rm-name are accepted, but may be removed in a future version of sslmate.
--cluster CLUSTER_NAME
Configure the order to be managed by the given cluster. See the documentation for sslmate add for details.
Remove the order from its cluster, making it unmanaged. See the documentation for sslmate add for details.
sslmate list
List the orders in your SSLMate account.
sslmate show ORDER_NAME
Show information about the given order.


The following sub-commands are used to manage the clusters in your SSLMate account:

sslmate clusters add NAME

Add a cluster named NAME to your account.

The output of this command will be a configuration snippet which you should paste into the sslmate-agent.conf(5) file on every server which you want to be a member of the cluster.

Warning: The output of this command contains a secret which you must protect. If you lose it, you will have to create a new cluster; SSLMate support cannot recover it.

sslmate clusters rm CLUSTER_NAME
Remove the given cluster from your account.
sslmate clusters list
List the clusters in your account.
sslmate clusters show CLUSTER_NAME
Show information about the given cluster.


sslmate version
Display the currently-installed version of sslmate.
sslmate help [COMMAND]
Display help for the given COMMAND, or an overview of all commands if no command is specified.


The following options are understood by sslmate and can be used with any sub-command. Since they apply globally to sslmate, they must be specified on the command line before the sub-command name.

-p PROFILE, --profile PROFILE
Use the given configuration profile, instead of the default. If this option is specified, the string "-PROFILE" will be appended to the paths of the configuration file, the state directory, and default key and certificate directories. For example, if --profile company is used, the configuration file will be /.sslmate-company, the state directory will be /.sslmate.d-company, and the default key/certificate directory will be /etc/sslmate-company, instead of /.sslmate, /.sslmate.d, and /etc/sslmate. This option is intended for those who need to manage several different SSLMate accounts from a single host, since each configuration file can contain distinct SSLMate API credentials.


Upon startup, sslmate reads configuration from ~/.sslmate. This file should contain one configuration option per line of the form NAME VALUE. Blank lines and lines starting with # are ignored. The location of your personal configuration file can be changed by setting the $SSLMATE_CONFIG environment variable or using the --profile option.

The following options are understood:

api_key KEY
Your API key, which can be found on your online SSLMate account page ( This option is mandatory.
api_endpoint URI
The URI to the SSLMate API endpoint. This option only needs to be changed if you are using the SSLMate sandbox.

For backwards compatibility with SSLMate 1, sslmate also reads options from /etc/sslmate.conf. Options in ~/.sslmate override options set in /etc/sslmate.conf. Use of /etc/sslmate.conf is discouraged.


The path to your configuration file. Defaults to $HOME/.sslmate (with profile suffix appended if --profile option is used).
The path to your state directory. Defaults to $HOME/.sslmate.d (with profile suffix appended if -profile option is used).