Rekey a Certificate

Rekeying a certificate generates a new key and certificate with the same name and expiration date as a previously-purchased certificate. Rekeys are free, and can be used if a key has been lost or compromised.

Just run:

sslmate rekey HOSTNAME

HOSTNAME is the name of an active certificate on your account that you want to reissue.

After running sslmate rekey, you'll have new key and certificate files in the your key and cert directories. Be sure to restart your web server so it loads these new files.

Once you've reissued your certificate, you should revoke your old certificate, as described below.

Reissue a Certificate

Reissuing a certificate generates a new certificate with the same private key, name, and expiration date as a previously-purchased certificate. Reissues are free, and can be used after adding or removing an alternative name to or from a multi-hostname certificate.

Just run:

sslmate reissue --same-key HOSTNAME

HOSTNAME is the name of an active certificate on your account that you want to reissue.

Note: For backwards compatibility with SSLMate 1.3 and earlier, running sslmate reissue without the --same-key option causes it to behave like sslmate rekey. Running sslmate reissue without --same-key is deprecated, and starting with SSLMate 2.0, the --same-key option will be implied.

After running sslmate reissue, you'll have new certificate files in the your cert directory. Be sure to restart your web server so it loads these new files.

There is no need to revoke a certificate after reissuing it, since the private key is the same.

Revoke a Certificate

Revoking a certificate causes clients to reject the certificate, which can be used if a certificate's private key is compromised. However, be aware that not all clients check for revocation, and most web browsers check for revocation in a way that can be circumvented by an attacker. Therefore, revocation is not an airtight way to prevent a compromised key from being used.

Before revoking your certificate, you should rekey it as described above. Be sure to install your new certificate before revoking the old one, or visitors will be unable to access your site.

Run:

sslmate revoke HOSTNAME

HOSTNAME is the name of an active certificate on your account that you want to revoke.

By default, sslmate revoke revokes only certificates that have been rekeyed or reissued. The most recent certificate is not revoked. To revoke even the most recent certificate, pass the --all option to sslmate revoke. (Example: sslmate revoke --all HOSTNAME). Warning: if you use --all, SSLMate will no longer be able to issue new certificates for this hostname unless you buy a brand new certificate. Generally, to revoke a certificate, you should first rekey it with the rekey command and then use revoke without --all. Only use --all if you no longer need any certificates for a hostname.

Revocations are free.

Get Started with SSLMate Today

Buy a new certificate, or import your existing certs for free.

Click to sign up