SSLMate Change Log Subscribe to the Change Log Atom Feed

This page lists new features and other notable changes in reverse chronological order. Stay up-to-date by subscribing with Atom or email.

: DNS Integration

SSLMate now integrates with to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with, you can set up an integration by visiting your integrations page.

: CT Search API: Detailed Issuer Information and Other Improvements

The Certificate Transparency Search API's issuer object now includes the following fields to help you better identify certificate issuers:

  • friendly_name - the name of the organization which issued the certificate. This field is more accurate and helpful than the existing name field.
  • website (only present if expanded) - the URL of the issuer's website
  • caa_domains (only present if expanded) - the domain names which can be placed in a CAA record to authorize the issuer
  • operator (only present if expanded) - information about the organization which controls the issuer's private key
  • name_der (only present if expanded) - the issuer's DER-encoded distinguished name
  • pubkey_der (only present if expanded) - the issuer's DER-encoded public key

The issuance object now includes the following fields:

  • problem_reporting (only present if expanded) - instructions on how to request the certificate be revoked
  • cert_sha256 - the SHA-256 certificate fingerprint (previously found in the cert sub-object)
  • cert_der (only present if expanded) - the DER-encoded certificate (previously found in the cert sub-object)

: Gandi DNS Integration

SSLMate now integrates with Gandi to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Gandi, you can set up an integration by visiting your integrations page.

: Revocation Information in the CT Search API

The Certificate Transparency Search API's issuance object now includes a boolean field named revoked that indicates if the certificate is revoked. This field is generally true or false, but in rare cases (discussed in the API docs), it may be null if the revocation status of the certificate is unknown.

If you include expand=revocation in the query string, the issuance object will also include a field named revocation containing additional details, such as the time of and reason for the revocation. See the API docs for details.

: Flexible API Key Permissions

Your account can now have more than one API key, and you can restrict API keys to specific operations, so that your API clients have no more permissions than necessary.

To manage your API keys, visit your API Keys page.

Note that API keys are now prefixed with a k (e.g. k1234_5NPqGgwWU6AJu6 instead of 1234_5NPqGgwWU6AJu6). For backwards compatibility, the old format (without the k) is still accepted for existing API keys.

: Cert Spotter: Configure Authorized CAs on a Per-(Sub-)Domain Basis

You can now configure authorized certificate authorities on a per-domain basis. For example, you can express that your domain uses Sectigo certificates, but uses Let's Encrypt.

To configure a domain's authorized CA list, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.

If you want to configure the authorized CAs for a sub-domain of one of your monitored domains (e.g. uses Sectigo, but uses Let's Encrypt), then you'll need to first add the sub-domain to your monitored domains list, and then change the settings for the newly-added sub-domain. The settings for the sub-domain will override the settings for the parent domain.

: API Date/Times Now in UTC

Previously, SSLMate's APIs returned times with an "unknown" timezone (represented by -00:00 per RFC 3339 syntax). This was unintentional, since the times are known to be UTC. Therefore, the APIs now return times with a UTC timezone (represented by Z).

Old: 2021-07-20T21:12:18-00:00

New: 2021-07-20T21:12:18Z

: Changes to HTTP Approval and Automatically-Added Hostname

When using HTTP approval with single-hostname certificates from SSLMate Basic, it is now necessary to explicitly validate both the original hostname and the automatically-added second hostname. If you use HTTP approval with SSLMate Basic, you may need to make some changes to your issuance procedures. Please see the document describing the changes and get in touch if you need assistance.

: HTTP Approval No Longer Acceptable for Wildcards

When acquiring certificates through SSLMate, it is no longer possible to use HTTP approval to validate wildcard domains. Any newly-issued or renewed certificates must instead use DNS or email approval to validate wildcard domains.

If your account currently has an active wildcard certificate that was validated using HTTP approval: you have a temporary exception to this change until 2021-09-01 00:00 UTC to give you time to adapt your issuance procedures. If you need any help or advice, please get in touch.

Why this change is being made: since HTTP validation proves control over a single hostname, it does not provide adequate security for wildcard certificates, which certify an entire domain namespace. We expect that the CA/Browser Forum (the industry group that regulates the issuance of certificates) will ban the use of HTTP validation for wildcards in the near future. We are announcing the change now to give our customers time to adapt.

: Monitor and Automate MTA-STS with Cert Spotter

Cert Spotter now automatically monitors your domains for MTA-STS problems, and can optionally automate the publication of correct MTA-STS policies. Read our blog post to learn more.

: Adjustments to Auto-Renewal Schedule

Certificates managed by SSLMate Agent will now be renewed using the following schedule:

  • Let's Encrypt certificates will be renewed 60 days before expiration and deployed 30 days before expiration.
  • Sectigo certificates will be renewed 31 days before expiration and deployed 30 days before expiration.

Certificates not managed by SSLMate Agent will continue to auto-renew 30 days before expiration, as now.

This change is being made to provide consistency across all types of certificates: renewed certificates will always be deployed 30 days prior to expiration of the current certificate, regardless of the certificate's product type or whether it's managed by SSLMate Agent. Additionally, a 30 day deployment schedule aligns with Cert Spotter's default behavior to warn about certificates that are expiring in 28 days or less.

: Discontinuation of Cert Spotter APIv0

Nearly two years ago, we announced version 1 of the Cert Spotter API, featuring several improvements over version 0, such as incremental monitoring and the ability to tailor the response fields to suit your needs. We also announced that APIv0 would be turned off at a future date. Since most users have now upgraded to APIv1, and we are no longer developing APIv0, we are now ready to announce our discontinuation plans for APIv0.

Effective immediately, newly-created accounts and accounts which have not recently used APIv0 will need to specify a special query string parameter to use APIv0.

Starting November 2, 2020, we will begin periodic "brownouts" of APIv0. For one hour a day, some or all APIv0 requests will return an error.

On February 2, 2021, we will disable APIv0 entirely.

If you are still using APIv0, we recommend upgrading to APIv1 as soon as possible. Please get in touch if you have any questions as you make the transition.

: Cleanup of Monitored and Excluded Sub-Domains

Automatically discovered sub-domains are now automatically removed from your monitored endpoint list once there are no more valid certificates or DNS records for the sub-domain. This keeps your endpoint list tidy and ensures you aren't paying to monitor sub-domains that no longer exist.

Additionally, the settings page now has a button to remove sub-domain exclusions that are no longer necessary because the excluded sub-domain no longer exists.

: 30 Day Auto-Renewal Period

Certificates expiring on or after 2020-09-24 with auto-renew enabled will be renewed 30 days before expiration instead of the current 60 days. The notice of upcoming renewal will be sent 37 days before expiration instead of 67 days.

This change is being made to comply with the 398 day maximum certificate lifetime instituted by Apple, Chrome, and Mozilla. Previously, SSLMate would issue renewed certificates with a 425 (365 + 60) day lifetime to ensure a new expiration date exactly one year after the current expiration date. Now, we will issue renewed certificates with a 395 (365 + 30) day lifetime.

For certificates managed by SSLMate Agent, we will wait 15 days before deploying the renewed certificate rather than the current 30 days. This will allow your server to tolerate a client clock skew of up to 15 days.

: Push Notifications

You can now receive realtime push notifications when Cert Spotter discovers an unknown certificate, or when SSLMate issues you a certificate. Requires Android, Chrome OS, or a modern desktop browser. (Unfortunately, iOS does not support the Web Push standard.)

Visit your push notifications page to configure.

: Flexible Email Routing

If you subscribe to the Startup or Business plans, you can now route certain account emails to alternative email addresses:

  • Invoices
  • Unknown certificate alerts
  • Daily summary about expirations detected by Cert Spotter

For example, you could route invoices to your accountant, unknown certificate alerts to your security team, and the expiration emails to your infrastructure team.

Visit your email preferences page to configure.

: Account Audit Logs

SSLMate now keeps an audit log of the following account actions:

  • Login
  • Change password
  • Change email address
  • Add/remove security key

Logs entries are retained for at least 7 days, depending on the plan you are subscribed to. (The business plan offers unlimited retention.)

: Cert Spotter: Use CAA records to authorize certificate issuance

You can now configure Cert Spotter to consult CAA records when deciding if a certificate is authorized. Visit your Cert Spotter settings to enable. Read our blog post for details.

: Fixed Bug Affecting 2FA with YubiKey 5

This week, we fixed a bug with two factor authentication which prevented the YubiKey 5 series (and possibly other security keys that support FIDO2) from being added to your account. If you had trouble adding a security key to your account, we recommend trying again.

: Cert Spotter: Improved wildcard handling

Cert Spotter now considers wildcard certificates when monitoring a hostname. For example, if you are monitoring, Cert Spotter will examine certificates for * when looking for expiring and unauthorized certificates.

: Phishing-Proof Two Factor Authentication

You can now use security keys such as the YubiKey as a second, phishing-proof authentication factor for your SSLMate account. Visit your account settings to enable.

We plan to support passwordless authentication in the near future.

: Cert Spotter: Yearly Subscriptions

Cert Spotter can now be purchased on a yearly basis. If you're currently a subscriber, you can switch to a yearly plan.

: Preview: Cert Spotter: API to Add/Remove Monitored Domains

We're testing out an API for programatically adding/removing the domains that are monitored by Cert Spotter. Please contact us if you are interested.

: Preview: Cert Spotter API: Firehose

We're testing out a firehose option for the Cert Spotter API to allow you to ingest all new certificates from public Certificate Transparency logs, using one convenient API endpoint. Please contact us if you are interested.

: Cert Spotter: expiration threshold can now be configured

You can now configure the number of days before expiration at which Cert Spotter begins alerting about an expiring certificate. (Previously, it was always 30 days.)

: Cert Spotter: sub-domain inclusion/exclusion can now be configured

When adding a monitored domain, you can now choose whether or not sub-domains should also be monitored. (Previously, sub-domains were always monitored.)

When adding an excluded sub-domain, you can now choose whether or not sub-domains of the excluded sub-domain should also be excluded. (Previously, sub-sub-domains were never excluded.)

: Change Log

SSLMate now has a change log that lists new features and other notable changes.