Skip to content

Certificate Approval Process

To purchase, reissue, or renew a certificate, you must demonstrate that you have control over each hostname in the certificate, using one of the three approval methods described on this page.

For wildcard hostnames, you must use DNS or email approval to demonstrate control over the hostname that is formed by removing the wildcard prefix. For example, to get a certificate for *.subdomain.example.com, you must demonstrate control over subdomain.example.com. HTTP approval cannot be used for wildcard hostnames.

Note that when you order a certificate for a single hostname, SSLMate automatically adds an additional hostname that is formed by either adding or removing the www. prefix. You must also demonstrate control over the additional hostname. If you do not desire the additional hostname, you can omit it by specifying --no-auto-san to the sslmate buy command, or by specifying an empty JSON array ([]) to the sans parameter in the API.

Email approval (manual)

Email approval requires you to click a link in an email sent to an acceptable administrative email addresses for the hostname.

Email approval is best when you need a one-off certificate quickly. Since email approval is not automated, it should generally be avoided. The SSLMate for SaaS service does not support email approval.

For more information, consult the email approval page.

DNS approval (automated)

DNS approval requires you to publish a DNS record in your domain's DNS zone. You can integrate SSLMate with your DNS provider so SSLMate can automatically publish the DNS record, allowing fully automated provisioning and renewal of certificates.

DNS approval is best when you own the domains for which you need certificates.

To use DNS approval, first configure your account to integrate with your DNS provider. Then, specify the --approval=dns flag when ordering a certificate with the sslmate command, or set the approval field to dns when ordering a certificate with the REST API.

For more information, consult the DNS approval page.

HTTP approval (automated)

HTTP approval requires you to publish a file on the web server for the hostname, under one of two special directories reserved for certificate approval. You can configure your web server to proxy these two directories to SSLMate so SSLMate can automatically publish the file, allowing fully automated provisioning and renewal of certificates.

HTTP approval is best if you're a SaaS provider or marketing agency who hosts websites on your customers' (sub-)domains. Once your customer points their (sub-)domain to your web server, you can use HTTP approval to obtain a certificate for the (sub-)domain, without your customer needing to respond to an email or publish an additional DNS record.

To use HTTP approval, first configure your web server to proxy the two certificate approval directories to SSLMate. Then, specify the --approval=http flag when ordering a certificate with the sslmate command, or set the approval field to http when ordering a certificate with the REST API.

For more information, consult the HTTP approval page.

Changing the approval method

The approval method of an existing or pending certificate can be changed by passing the --approval option to sslmate edit. The new approval method will be used for future reissues and renewals. If the certificate is still pending approval, then the process will be restarted with the new approval method. Consult the sslmate(1) man page for details.