Skip to content

Rekey a Certificate

Rekeying a certificate generates a new key and certificate with the same name and expiration date as a previously-purchased certificate. Rekeys are free, and can be used if a key has been lost or compromised.

Just run:

sslmate rekey HOSTNAME

HOSTNAME is the name of an active certificate on your account that you want to reissue.

After running sslmate rekey, you'll have new key and certificate files in the your key and cert directories. Be sure to restart your web server so it loads these new files.

Once you've installed your new certificate, you should revoke your old certificate, as described below.

Revoke a Certificate

Revoking a certificate causes clients to reject the certificate, which can be used if a certificate's private key is compromised. However, be aware that not all clients check for revocation, and most web browsers check for revocation in a way that can be circumvented by an attacker. Therefore, revocation is not an airtight way to prevent a compromised key from being used.

Before revoking your certificate, you should rekey it as described above. Be sure to install your new certificate before revoking the old one, or visitors will be unable to access your site.

Run:

sslmate revoke HOSTNAME

HOSTNAME is the name of an active certificate on your account that you want to revoke.

By default, sslmate revoke revokes only old certificates. The most recent certificate is not revoked. To revoke even the most recent certificate, pass the --all option to sslmate revoke. (Example: sslmate revoke --all HOSTNAME). Warning: if you use --all, SSLMate will no longer be able to issue new certificates for this hostname unless you buy a brand new certificate. Generally, to revoke a certificate, you should first rekey it with the rekey command and then use revoke without --all. Only use --all if you no longer need any certificates for a hostname.

Revocations are free.