It is no longer possible to approve certificates by receiving an email to an email address listed in a WHOIS record. You may request a temporary exception from this change until June 15, 2025 by contacting support. Accounts with an active certificate that was approved using a WHOIS email address have been granted this exception automatically. However, after June 15, 2025, a different method must be used to approve certificates.

Why this change is happening: security research uncovered flaws in the use of WHOIS for certificate validation. In response, the CA/Browser Forum voted to sunset the use of WHOIS email addresses.

Cert Spotter now detects when an endpoint uses both RSA and Elliptic Curve (ECDSA) certificates. Both certificates are displayed on the endpoint page, and Cert Spotter will alert you if there is a problem with either certificate. (Previously, Cert Spotter would only detect ECDSA certificates in this scenario.)

You can now disable certificate installation monitoring on a per-domain basis, without disabling monitoring for unauthorized certificates. Visit your Cert Spotter settings and click the "Settings" link next to the domain. Scroll down and select "Do not monitor for certificate installation".

SSLMate now integrates with Azure DNS to automatically publish DNS approval records and discover domains to monitor with Cert Spotter. If you host your domain's DNS with Azure, you can set up an integration by visiting your integrations page.

The Certificate Transparency Search API's issuance object now includes two new fields, pubkey and pubkey_der, that provide information about the certificate's public key (such as algorithm and bit length). These fields are only present if expanded. See the documentation for details.

Do you have requests for other fields that would be useful? Let us know!

Cert Spotter can now monitor certificate installation on any combination of port numbers, including SMTP ports that use STARTTLS. (Support for more STARTTLS protocols is planned.)

Custom port monitoring is available on the Startup plan and higher. To set up, visit your Cert Spotter settings and click the "Settings" link next to the domain whose ports you want to customize. By default, it will affect sub-domains too. If you want to set a custom port for just a sub-domain, you can add the sub-domain to your watch list (uncheck the "also monitor sub-domains" box) and then click the "Settings" link for the sub-domain; the port settings will override the domain-wide settings.

If you have domains that use anycast IP addresses or DNS-based load balancing, certificate installation problems might only be visible in some parts of the world. These problems can be tricky to debug, but Cert Spotter can now help by monitoring your domains from 10 different locations spread across every continent except Antarctica.

Multiple vantage point monitoring is available and automatically enabled on the Business plan.

You can now configure Cert Spotter to send an HTTP POST request to your server when it detects an unknown certificate. Read the documentation or visit your account settings to add a webhook.

You can now receive Slack notifications of the following events:

• Cert Spotter detects an unknown certificate
• Cert Spotter detects a problem with a certificate's installation
• SSLMate issues you a certificate

The unknown certificate notifications are interactive, and contain a button to acknowledge the certificate to let your teammates know that the certificate is legitimate.

To set up Slack notifications, visit your account settings.

You can now configure the expiration threshold (number of days before expiration when Cert Spotter begins warning you about an expiring certificate) on a per-domain basis.

To configure a domain's expiration threshold, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.

If you want to configure the expiration threshold for a sub-domain of one of your monitored domains (e.g. example.com should be 30 days, but blog.example.com should be 15 days), then you'll need to first add the sub-domain to your monitored domains list, and then change the settings for the newly-added sub-domain. The settings for the sub-domain will override the settings for the parent domain.

You can integrate Cert Spotter with your DNS provider, and several times a day we will sync the domains in your DNS account to your Cert Spotter watch list. Visit your integrations page to get started. We currently support Cloudflare, DNSimple, DNS Made Easy, DigitalOcean, Gandi, Google Cloud DNS, Linode, Name.com, NS1, and Route 53, and can add support for any provider with a suitable API (contact us to request support for your provider).

You can now use a simple REST API to add, remove, and list domains on your Cert Spotter watch list. Check out the API docs.

SSLMate now integrates with Name.com to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Name.com, you can set up an integration by visiting your integrations page.

The Certificate Transparency Search API's issuer object now includes the following fields to help you better identify certificate issuers:

• friendly_name - the name of the organization which issued the certificate. This field is more accurate and helpful than the existing name field.
• website (only present if expanded) - the URL of the issuer's website
• caa_domains (only present if expanded) - the domain names which can be placed in a CAA record to authorize the issuer
• operator (only present if expanded) - information about the organization which controls the issuer's private key
• name_der (only present if expanded) - the issuer's DER-encoded distinguished name
• pubkey_der (only present if expanded) - the issuer's DER-encoded public key

The issuance object now includes the following fields:

• problem_reporting (only present if expanded) - instructions on how to request the certificate be revoked
• cert_sha256 - the SHA-256 certificate fingerprint (previously found in the cert sub-object)
• cert_der (only present if expanded) - the DER-encoded certificate (previously found in the cert sub-object)

SSLMate now integrates with Gandi to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Gandi, you can set up an integration by visiting your integrations page.

The Certificate Transparency Search API's issuance object now includes a boolean field named revoked that indicates if the certificate is revoked. This field is generally true or false, but in rare cases (discussed in the API docs), it may be null if the revocation status of the certificate is unknown.

If you include expand=revocation in the query string, the issuance object will also include a field named revocation containing additional details, such as the time of and reason for the revocation. See the API docs for details.

Your account can now have more than one API key, and you can restrict API keys to specific operations, so that your API clients have no more permissions than necessary.

To manage your API keys, visit your API Keys page.

Note that API keys are now prefixed with a k (e.g. k1234_5NPqGgwWU6AJu6 instead of 1234_5NPqGgwWU6AJu6). For backwards compatibility, the old format (without the k) is still accepted for existing API keys.

You can now configure authorized certificate authorities on a per-domain basis. For example, you can express that your domain example.com uses Sectigo certificates, but example.net uses Let's Encrypt.

To configure a domain's authorized CA list, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.

If you want to configure the authorized CAs for a sub-domain of one of your monitored domains (e.g. example.com uses Sectigo, but blog.example.com uses Let's Encrypt), then you'll need to first add the sub-domain to your monitored domains list, and then change the settings for the newly-added sub-domain. The settings for the sub-domain will override the settings for the parent domain.

As of SSLMate CLI 1.9.0, client-side DNS approval handlers are deprecated and will be removed in SSLMate CLI 2 in favor of SSLMate's server-side DNS integration system. If you use DNS to automatically approve certificates, please integrate your SSLMate account with your DNS provider if you haven't done so already.

Previously, SSLMate's APIs returned times with an "unknown" timezone (represented by -00:00 per RFC 3339 syntax). This was unintentional, since the times are known to be UTC. Therefore, the APIs now return times with a UTC timezone (represented by Z).

Old: 2021-07-20T21:12:18-00:00

New: 2021-07-20T21:12:18Z

When using HTTP approval with single-hostname certificates from SSLMate Basic, it is now necessary to explicitly validate both the original hostname and the automatically-added second hostname. If you use HTTP approval with SSLMate Basic, you may need to make some changes to your issuance procedures. Please see the document describing the changes and get in touch if you need assistance.

When acquiring certificates through SSLMate, it is no longer possible to use HTTP approval to validate wildcard domains. Any newly-issued or renewed certificates must instead use DNS or email approval to validate wildcard domains.

If your account currently has an active wildcard certificate that was validated using HTTP approval: you have a temporary exception to this change until 2021-09-01 00:00 UTC to give you time to adapt your issuance procedures. If you need any help or advice, please get in touch.

Why this change is being made: since HTTP validation proves control over a single hostname, it does not provide adequate security for wildcard certificates, which certify an entire domain namespace. We expect that the CA/Browser Forum (the industry group that regulates the issuance of certificates) will ban the use of HTTP validation for wildcards in the near future. We are announcing the change now to give our customers time to adapt.

Cert Spotter now automatically checks your endpoints for compliance with browser Certificate Transparency policies and will alert you if an endpoint is not compliant. You generally don't need to worry about Certificate Transparency policy compliance since it's your certificate authority's job, but a recent change to Apple's Certificate Transparency policy caught some certificate authorities off-guard.

Cert Spotter now automatically monitors your domains for MTA-STS problems, and can optionally automate the publication of correct MTA-STS policies. Read our blog post to learn more.

Certificates managed by SSLMate Agent will now be renewed using the following schedule:

• Let's Encrypt certificates will be renewed 60 days before expiration and deployed 30 days before expiration.
• Sectigo certificates will be renewed 31 days before expiration and deployed 30 days before expiration.

Certificates not managed by SSLMate Agent will continue to auto-renew 30 days before expiration, as now.

This change is being made to provide consistency across all types of certificates: renewed certificates will always be deployed 30 days prior to expiration of the current certificate, regardless of the certificate's product type or whether it's managed by SSLMate Agent. Additionally, a 30 day deployment schedule aligns with Cert Spotter's default behavior to warn about certificates that are expiring in 28 days or less.

Nearly two years ago, we announced version 1 of the Cert Spotter API, featuring several improvements over version 0, such as incremental monitoring and the ability to tailor the response fields to suit your needs. We also announced that APIv0 would be turned off at a future date. Since most users have now upgraded to APIv1, and we are no longer developing APIv0, we are now ready to announce our discontinuation plans for APIv0.

Effective immediately, newly-created accounts and accounts which have not recently used APIv0 will need to specify a special query string parameter to use APIv0.

Starting November 2, 2020, we will begin periodic "brownouts" of APIv0. For one hour a day, some or all APIv0 requests will return an error.

On February 2, 2021, we will disable APIv0 entirely.

If you are still using APIv0, we recommend upgrading to APIv1 as soon as possible. Please get in touch if you have any questions as you make the transition.

Automatically discovered sub-domains are now automatically removed from your monitored endpoint list once there are no more valid certificates or DNS records for the sub-domain. This keeps your endpoint list tidy and ensures you aren't paying to monitor sub-domains that no longer exist.

Additionally, the settings page now has a button to remove sub-domain exclusions that are no longer necessary because the excluded sub-domain no longer exists.

Certificates expiring on or after 2020-09-24 with auto-renew enabled will be renewed 30 days before expiration instead of the current 60 days. The notice of upcoming renewal will be sent 37 days before expiration instead of 67 days.

This change is being made to comply with the 398 day maximum certificate lifetime instituted by Apple, Chrome, and Mozilla. Previously, SSLMate would issue renewed certificates with a 425 (365 + 60) day lifetime to ensure a new expiration date exactly one year after the current expiration date. Now, we will issue renewed certificates with a 395 (365 + 30) day lifetime.

For certificates managed by SSLMate Agent, we will wait 15 days before deploying the renewed certificate rather than the current 30 days. This will allow your server to tolerate a client clock skew of up to 15 days.

You can now receive realtime push notifications when Cert Spotter discovers an unknown certificate, or when SSLMate issues you a certificate. Requires Android, Chrome OS, or a modern desktop browser. (Unfortunately, iOS does not support the Web Push standard.)

Visit your push notifications page to configure.

If you subscribe to the Startup or Business plans, you can now route certain account emails to alternative email addresses:

• Invoices
• Unknown certificate alerts
• Daily summary about expirations detected by Cert Spotter

For example, you could route invoices to your accountant, unknown certificate alerts to your security team, and the expiration emails to your infrastructure team.

Visit your email preferences page to configure.

SSLMate now keeps an audit log of the following account actions:

• Login
• Change password
• Change email address
• Add/remove security key

Logs entries are retained for at least 7 days, depending on the plan you are subscribed to. (The business plan offers unlimited retention.)

You can now configure Cert Spotter to consult CAA records when deciding if a certificate is authorized. Visit your Cert Spotter settings to enable. Read our blog post for details.

This week, we fixed a bug with two factor authentication which prevented the YubiKey 5 series (and possibly other security keys that support FIDO2) from being added to your account. If you had trouble adding a security key to your account, we recommend trying again.

Cert Spotter now considers wildcard certificates when monitoring a hostname. For example, if you are monitoring www.example.com, Cert Spotter will examine certificates for *.example.com when looking for expiring and unauthorized certificates.

You can now use security keys such as the YubiKey as a second, phishing-proof authentication factor for your SSLMate account. Visit your account settings to enable.

We plan to support passwordless authentication in the near future.

Cert Spotter can now be purchased on a yearly basis. If you're currently a subscriber, you can switch to a yearly plan.

We're testing out an API for programatically adding/removing the domains that are monitored by Cert Spotter. Please contact us if you are interested.

We're testing out a firehose option for the Cert Spotter API to allow you to ingest all new certificates from public Certificate Transparency logs, using one convenient API endpoint. Please contact us if you are interested.

You can now configure the number of days before expiration at which Cert Spotter begins alerting about an expiring certificate. (Previously, it was always 30 days.)

When adding a monitored domain, you can now choose whether or not sub-domains should also be monitored. (Previously, sub-domains were always monitored.)

When adding an excluded sub-domain, you can now choose whether or not sub-domains of the excluded sub-domain should also be excluded. (Previously, sub-sub-domains were never excluded.)

SSLMate now has a change log that lists new features and other notable changes.