Guide to SSL
Last modified: January 27, 2020
SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information between a visitor’s browser and a server. These protocols protect against electronic eavesdroppers. This also protects sensitive communications (for example, credit card numbers and login information).
Both of these protocols initiate a handshake, during which your server and the user’s computer agree on specific conditions. These conditions include a set of public and private keys. Both computers use these keys to encrypt and decrypt messages transmitted during communication.
We support Transport Layer Security (TLS) protocol version 1.2 and TLS version 1.3.
- We strongly recommend that you enable TLSv1.2 on your server. Some clients don’t support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
- We only support TLSv1.3 on systems that run cPanel & WHM version 86 or higher.
You can set up SSL/TLS for your server and configure how SSL/TLS certificates run in cPanel’s SSL/TLS interface (cPanel >> Home >> Security >> SSL/TLS).
cPanel, L.L.C. does not offer free signed or self-signed hostname certificates for cPanel DNSOnly™ servers.
An SSL certificate is an electronic document that uses the
.crt file extension. The certificate verifies a website visitor’s identity before sending encrypted data. The following are common parts of a certificate:
- Issuer — The Certificate Authority who issued the certificate.
- Public key — The public part of the certificate owner’s key for this certificate. The public key works together with the private key to confirm the identity and validity of the certificate.
- Validity date range — The period of time a certificate is valid, listing both a start and an end date.
- Domain list — A list of domains that the certificate secures. The certificate classifies these as either Common Names (CNs) or Subject Alternative Names (SANs).
SSL certificates interpret domain names literally. For example, SSL interprets
example.comas two different domains.
- Signature — The certificate contents and a private key create the signature. An SSL client uses this signature and the issuer’s public key to verify that the issuer created this certificate.
You can list a certificate’s full contents with the
openssl x509 command, where
certificate.crt represents the certificate name:
openssl x509 -in certificate.crt -text -noout
When you work with SSL, you may encounter the following types of SSL certificates:
Single-domain — This certificate type secures a single domain or subdomain.
Multi-domain — This certificate type secures many domains with one certificate. A common multi-domain certificate is the UC/SAN (Unified Communications/Subject Alternate Name) certificate.Note:
To add more domains to your multi-domain certificate, the issuing authority must reissue the certificate.
Shared SSL — This certificate type allows you to secure multiple domains with the same SSL certificate.Note:
As of cPanel & WHM version 76, we do not support this type of certificate.
Wildcard — This certificate type secures any number of subdomains on a single certificate for a single domain. For example, you can use a wildcard certificate for
*.example.comto securely connect to
www.example.combut not to
You can apply a wildcard certificate to services in WHM’s Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).
rootuser may install a wildcard certificate on a collection of subdomains for a single top-level domain on multiple IP addresses. If this configuration uses multiple IP addresses, a user on the server cannot own the top-level domain.
Self-signed — This certificate type does not verify the identity of the server and does not require a Certificate Authority. These certificates are not secure. You can create a self-signed SSL certificate in WHM’s Generate an SSL Certificate and Signing Request interface (WHM >> Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request).Important:
Self-signed certificates do not verify the site’s identity. Visitors’ browsers will generally display a warning when they attempt to access the site.
Self-signed certificates may be appropriate if your website only handles minimally-sensitive data. If your website handles any sensitive data, we strongly recommend that you use a signed certificate.
Server Name Indication (SNI) support allows you to host multiple SSL certificates for different domains on the same IP address. At the beginning of the handshake process, SNI indicates the hostname to which the client connects. Users on shared servers that support SNI can install their own certificates without a dedicated IP address.
cPanel & WHM servers do not support SNI for the FTP service.
Your Certificate Authority (CA) is the trusted third-party entity that issues your SSL certificates.
CA bundle files
Generally, when you buy an SSL certificate, the CA will send you a URL to download a CA bundle file. This file contains the following details about the SSL certificate:
The CA that issued the certificate.
Any certificates of the CA.
The chain of trust for the issuer.Note:
A CA can vouch for other CAs, which results in a chain of trust. For a CA to sell certificates, another CA must vouch for them.
Certificate Revocation Lists (CRLs).
Browsers include a list of trusted CAs, and they use the list to determine whether to trust a specific CA.
A Certification Authority Authorization (CAA) record specifies which CAs may issue certificates for a domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. You can manage CAA records through WHM’s Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone) or through cPanel’s Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor).
If conflicting CAA records already exist, you must either remove the current CAA records or add one for the desired CAA. For example, a CAA record for Sectigo would resemble the following example, where
example.com represents the domain name:
example.com. 86400 IN CAA 0 issue "sectigo.com"
Similarly, a CAA record for Let’s Encrypt™ would resemble the following example, where
example.com represents the domain name:
example.com. 86400 IN CAA 0 issue "letsencrypt.com"
AutoSSL secures multiple domains with the assumption that all of the domains resolve to the same virtual host. A cPanel-issued AutoSSL certificate expires after 90 days. However, AutoSSL attempts to automatically replace that certificate before it expires.
You can use the cPanel (powered by Sectigo) provider to secure up to 1,000 domains per certificate.
AutoSSL does not renew certificates that contain wildcard domains.
AutoSSL does not issue certificates for websites on suspended accounts. You must first activate the account in order for AutoSSL to issue a certificate.
In cPanel & WHM version 64 and later, AutoSSL adds service and proxy subdomains to the SSL certificate in accordance with the sort algorithm. For more information about proxy subdomains, read our Service and Proxy Subdomains documentation.
AutoSSL uses a sort algorithm to establish which domains to add to the certificate first. This sort order ensures that the system adds the domains that customers will most likely visit to the certificate first. For example, customers most likely intend to navigate to
The default sort algorithm prioritizes domains in the following order:
Any fully-qualified domain names (FQDNs) that the virtual host’s current SSL certificate secures.
The primary domain on the cPanel account and its
Each addon domain and its
example.com), creates the
foo.comaddon domain. This addon domain, like all cPanel addon domains, exists on a separate virtual host with a subdomain. In this case, the system prioritizes
Domains with fewer dots. For example, AutoSSL would prioritize
AutoSSL only adds the
whmservice subdomain to the SSL certificate for reseller accounts.
The cPanel (powered by Sectigo) provider
By default, cPanel & WHM uses the cPanel (powered by Sectigo) provider. It is free and comes with your cPanel & WHM license.
The Let’s Encrypt plugin
Let’s Encrypt has the following limitations:
- A rate limit of 300 certificate orders every three hours.
- A weekly limit of 50 registered domains.
- A maximum of 100 subdomains per certificate.
- Limits the certificates it issues to a specific set of domains to five certificates per week. After this, Let’s Encrypt blocks any further certificates for that set of domains.
To work around this rate limit, create an alias to a domain in the virtual host list (website). Let’s Encrypt will interpret the virtual host as a new set of domains.
For more information about Let’s Encrypt’s rate limits, read their rate limit documentation.
Domain and rate limits
The AutoSSL feature includes some limitations and conditions. The following sections go over those limitations and conditions for AutoSSL.
A domain’s DNS zone may contain CAA records. These CAA records restrict which CAs may issue certificates for that domain. Your server’s DNS zone can have more than one CAA record to receive certificates from more than one CA.
If a CAA record for another provider already exists, you can remove that CAA record or add one for the desired CA.
If no CAA records exist for a domain, all CAs can issue certificates for that domain.
Domain control validation
AutoSSL only includes domains and subdomains that pass a domain control validation (DCV) test. DCV proves ownership of the domain.
Provider specific domain limits
Each AutoSSL provider may use a specific domain rate limit.
For example, both Let’s Encrypt and cPanel AutoSSL have different limits:
Certificates that Let’s Encrypt provides can secure a maximum of 100 domains per certificate.
Certificates that cPanel, L.L.C. provides through AutoSSL can secure a maximum of 1000 domains per certificate. The following table demonstrates these limitations for the cPanel AutoSSL provider:
|Virtual Host 1||Virtual Host 2||Result|
|1000 domains||AutoSSL generates one certificate for the account, which secures all 1000 domains.|
|1002 domains||AutoSSL generates one certificate for the account, which secures the 1000 first domains from the sort algorithm.|
|500 domains||500 domains||AutoSSL generates a certificate for each virtual host that secures all of the domains on that virtual host.|
|500 domains||502 domains||AutoSSL generates two certificates:
The default cPanel AutoSSL does not secure wildcard domains. However, Let’s Encrypt will secure wildcard domains.
Domain limit calculation
AutoSSL includes corresponding
www. domains for each domain and subdomain in the certificate. Those
www. domains count toward any domain or rate limits. For example, for the
example.com domain, AutoSSL automatically includes
www.example.com in the certificate.
If the corresponding
www.domain does not pass a DCV test, AutoSSL will not attempt to secure that
This method affects Let’s Encrypt’s limit of 50 certificates per week that may contain a domain or its subdomains.
Aliases count three times towards each certificate’s domains limit. When you create an alias domain, the system adds the following aliases to the original virtual host (where
aliasdomain.com represents the alias domain):
A virtual host may contain more domain names than the provider’s limit per certificate specifies. Any domain names in excess of that limit are not secured. AutoSSL uses a sort algorithm to determine the priority of domains to secure. For more information, read our AutoSSL sorting section above.
AutoSSL renewals and replacements
AutoSSL will not attempt to replace certificates that it did not issue. You can override this behavior if you enable the Allow AutoSSL to replace invalid or expiring non-AutoSSL certificates setting in WHM’s Manage AutoSSL interface (WHM >> Home >> SSL/TLS >> Manage AutoSSL). AutoSSL replaces certificates with overly-weak security settings (for example, an RSA modulus of 2048-bit or less).
Each AutoSSL provider may wait for a specific amount of time to replace an AutoSSL-provided certificate before it expires. For example:
AutoSSL attempts to renew certificates that cPanel, L.L.C. provides when they expire within 15 days.
AutoSSL attempts to renew certificates that Let’s Encrypt provides when they expire within 29 days.
Due to rate limits, AutoSSL prioritizes new certificates over the renewal of existing certificates.