Automating Renewals with --auto-renew and `sslmate download`
Historically, buying and renewing SSL certificates has been burdensome. You'd have to generate a private key and a CSR by hand using long openssl commands that ask irrelevant questions. Then you'd have to copy and paste the CSR into a multi-step online form, wait for your certificate to be emailed to you, and then copy it to your server. Multiply this by many different domains and servers, and soon you're spending way too much time managing SSL certificates.
This hassle has had a number of undesirable consequences. First, HTTPS usage is lower than it should be. Second, web site operators buy certificates for terms as long as five years, which is bad because such long-term certificates don't get refreshed with the latest cryptographic best practices, a problem we are currently facing with the transition away from SHA-1 certificates. And finally, the manual nature of renewals means that even popular and otherwise well-run websites sometimes forget to renew, leaving their visitors unable to connect.
				SSLMate already makes purchasing a certificate simple: just run sslmate buy www.example.com
				from the command line, and the key and CSR are automatically generated, and once approved, the certificate
				is downloaded straight to the server where you ran sslmate.  Today SSLMate is pleased to announce
				the next step in the evolution of certificate management: automated renewals.
			
				The first half of automated renewals is accomplished with the --auto-renew option
				to the sslmate buy command.  If you include this option when buying a certificate,
				SSLMate will automatically renew your certificate when it is about to expire, charging your credit card on file.
				You can toggle the auto-renew setting for already-purchased certificates
				by visiting your certificate dashboard, and can make --auto-renew
				the default for new certificates by changing a setting on your account page.
			
				Once a certificate is renewed, you have to install the new certificate
				on your server.  There are two ways you can do this.  The manual way is to wait for SSLMate to
				email the new certificate to you.  The email will contain a download link which you can download straight to your
				server with wget or curl — no need to open an attachment, extract a Zip file, scp files around,
				or do any other inconvenient nonsense.  Or, you can choose the automated way with the
				sslmate download command.
			
				sslmate download downloads the latest version of a certificate from your SSLMate
				account to your server.  By default, it places certificates in /etc/sslmate.
				You can configure your web server to load its certificate from /etc/sslmate and put
				sslmate download in a cron job that runs daily.  Thus, within a day of a certificate being
				renewed, the renewed certificate will be automatically downloaded to your server.  sslmate download
				uses its exit status to indicate if a new certificate was downloaded or not, and you can use this
				to decide whether to restart your web server.  For example:
			
#!/bin/sh
if sslmate download www.example.com > /dev/null
then
	service apache2 restart > /dev/null
fi
			To learn more, consult our documentation on renewals and downloads.
