You can now view and delete the public keys which Cert Spotter considers known/authorized on a single page under your Cert Spotter settings. To keep the list tidy, you can click a button that will delete entries for public keys which are no longer used by any of your unexpired certificates.

It is no longer possible to approve certificates by receiving an email to an email address listed in a WHOIS record. You may request a temporary exception from this change until June 15, 2025 by contacting support. Accounts with an active certificate that was approved using a WHOIS email address have been granted this exception automatically. However, after June 15, 2025, a different method must be used to approve certificates.

Why this change is happening: security research uncovered flaws in the use of WHOIS for certificate validation. In response, the CA/Browser Forum voted to sunset the use of WHOIS email addresses.

Cert Spotter now detects when an endpoint uses both RSA and Elliptic Curve (ECDSA) certificates. Both certificates are displayed on the endpoint page, and Cert Spotter will alert you if there is a problem with either certificate. (Previously, Cert Spotter would only detect ECDSA certificates in this scenario.)

You can now disable certificate installation monitoring on a per-domain basis, without disabling monitoring for unauthorized certificates. Visit your Cert Spotter settings and click the "Settings" link next to the domain. Scroll down and select "Do not monitor for certificate installation".

SSLMate now integrates with Azure DNS to automatically publish DNS approval records and discover domains to monitor with Cert Spotter. If you host your domain's DNS with Azure, you can set up an integration by visiting your integrations page.

The Certificate Transparency Search API's issuance object now includes two new fields, pubkey and pubkey_der, that provide information about the certificate's public key (such as algorithm and bit length). These fields are only present if expanded. See the documentation for details.

Do you have requests for other fields that would be useful? Let us know!

Cert Spotter can now monitor certificate installation on any combination of port numbers, including SMTP ports that use STARTTLS. (Support for more STARTTLS protocols is planned.)

Custom port monitoring is available on the Startup plan and higher. To set up, visit your Cert Spotter settings and click the "Settings" link next to the domain whose ports you want to customize. By default, it will affect sub-domains too. If you want to set a custom port for just a sub-domain, you can add the sub-domain to your watch list (uncheck the "also monitor sub-domains" box) and then click the "Settings" link for the sub-domain; the port settings will override the domain-wide settings.

If you have domains that use anycast IP addresses or DNS-based load balancing, certificate installation problems might only be visible in some parts of the world. These problems can be tricky to debug, but Cert Spotter can now help by monitoring your domains from 10 different locations spread across every continent except Antarctica.

Multiple vantage point monitoring is available and automatically enabled on the Business plan.

You can now configure Cert Spotter to send an HTTP POST request to your server when it detects an unknown certificate. Read the documentation or visit your account settings to add a webhook.

You can now receive Slack notifications of the following events:

• Cert Spotter detects an unknown certificate
• Cert Spotter detects a problem with a certificate's installation
• SSLMate issues you a certificate

The unknown certificate notifications are interactive, and contain a button to acknowledge the certificate to let your teammates know that the certificate is legitimate.

To set up Slack notifications, visit your account settings.

You can now configure the expiration threshold (number of days before expiration when Cert Spotter begins warning you about an expiring certificate) on a per-domain basis.

To configure a domain's expiration threshold, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.

If you want to configure the expiration threshold for a sub-domain of one of your monitored domains (e.g. example.com should be 30 days, but blog.example.com should be 15 days), then you'll need to first add the sub-domain to your monitored domains list, and then change the settings for the newly-added sub-domain. The settings for the sub-domain will override the settings for the parent domain.

You can integrate Cert Spotter with your DNS provider, and several times a day we will sync the domains in your DNS account to your Cert Spotter watch list. Visit your integrations page to get started. We currently support Cloudflare, DNSimple, DNS Made Easy, DigitalOcean, Gandi, Google Cloud DNS, Linode, Name.com, NS1, and Route 53, and can add support for any provider with a suitable API (contact us to request support for your provider).

You can now use a simple REST API to add, remove, and list domains on your Cert Spotter watch list. Check out the API docs.

SSLMate now integrates with Name.com to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Name.com, you can set up an integration by visiting your integrations page.

The Certificate Transparency Search API's issuer object now includes the following fields to help you better identify certificate issuers:

• friendly_name - the name of the organization which issued the certificate. This field is more accurate and helpful than the existing name field.
• website (only present if expanded) - the URL of the issuer's website
• caa_domains (only present if expanded) - the domain names which can be placed in a CAA record to authorize the issuer
• operator (only present if expanded) - information about the organization which controls the issuer's private key
• name_der (only present if expanded) - the issuer's DER-encoded distinguished name
• pubkey_der (only present if expanded) - the issuer's DER-encoded public key

The issuance object now includes the following fields:

• problem_reporting (only present if expanded) - instructions on how to request the certificate be revoked
• cert_sha256 - the SHA-256 certificate fingerprint (previously found in the cert sub-object)
• cert_der (only present if expanded) - the DER-encoded certificate (previously found in the cert sub-object)

SSLMate now integrates with Gandi to automatically publish DNS approval records, making it easier to issue and renew certificates. If you host your domain's DNS with Gandi, you can set up an integration by visiting your integrations page.

The Certificate Transparency Search API's issuance object now includes a boolean field named revoked that indicates if the certificate is revoked. This field is generally true or false, but in rare cases (discussed in the API docs), it may be null if the revocation status of the certificate is unknown.

If you include expand=revocation in the query string, the issuance object will also include a field named revocation containing additional details, such as the time of and reason for the revocation. See the API docs for details.

Your account can now have more than one API key, and you can restrict API keys to specific operations, so that your API clients have no more permissions than necessary.

To manage your API keys, visit your API Keys page.

Note that API keys are now prefixed with a k (e.g. k1234_5NPqGgwWU6AJu6 instead of 1234_5NPqGgwWU6AJu6). For backwards compatibility, the old format (without the k) is still accepted for existing API keys.

You can now configure authorized certificate authorities on a per-domain basis. For example, you can express that your domain example.com uses Sectigo certificates, but example.net uses Let's Encrypt.

To configure a domain's authorized CA list, visit your Cert Spotter settings and click the appropriate Settings link in your Monitored Domains list.

If you want to configure the authorized CAs for a sub-domain of one of your monitored domains (e.g. example.com uses Sectigo, but blog.example.com uses Let's Encrypt), then you'll need to first add the sub-domain to your monitored domains list, and then change the settings for the newly-added sub-domain. The settings for the sub-domain will override the settings for the parent domain.

As of SSLMate CLI 1.9.0, client-side DNS approval handlers are deprecated and will be removed in SSLMate CLI 2 in favor of SSLMate's server-side DNS integration system. If you use DNS to automatically approve certificates, please integrate your SSLMate account with your DNS provider if you haven't done so already.

Previously, SSLMate's APIs returned times with an "unknown" timezone (represented by -00:00 per RFC 3339 syntax). This was unintentional, since the times are known to be UTC. Therefore, the APIs now return times with a UTC timezone (represented by Z).

Old: 2021-07-20T21:12:18-00:00

New: 2021-07-20T21:12:18Z

When using HTTP approval with single-hostname certificates from SSLMate Basic, it is now necessary to explicitly validate both the original hostname and the automatically-added second hostname. If you use HTTP approval with SSLMate Basic, you may need to make some changes to your issuance procedures. Please see the document describing the changes and get in touch if you need assistance.

When acquiring certificates through SSLMate, it is no longer possible to use HTTP approval to validate wildcard domains. Any newly-issued or renewed certificates must instead use DNS or