The SSL Installation and Precedence Logic

apache ssl

Last modified: 2025 March 24

Overview

This document outlines how cPanel & WHM processes Secure Sockets Layer (SSL) certificate requests and how Apache processes SSL requests. We recommend this document for experienced systems administrators only.

Note:

This document refers to other services’ domain-indexed SSL storage as Domain TLS.
To purchase and install an SSL certificate, follow the directions in our Purchase and Install an SSL Certificate documentation.

Name-based and virtual host match

Most SSL-enabled services that WebPros International, LLC deploys support simple name-based SSL. When a client requests an SSL certificate for a specific domain, the service performs one of the following actions:

If the certificate exists, the service responds with a certificate that matches the requested domain.
If no certificate exists, the the system uses the service’s default SSL certificate.

Note:

FTP is the only service that does not support name-based SSL.

Service-default SSL certificates

Non-Apache services use default SSL certificates that administrators can manage via WHM. These services only serve the default SSL certificate to the client if no certificate in Domain TLS matches the client’s requested domain.

When the administrator installs a service-default SSL certificate, the system compares this certificate with the contents of Domain TLS. For each domain on the default certificate, the system installs that new certificate to Domain TLS. The system only performs this action if an SSL certificate with higher-grade identity assurance does not already exist on Domain TLS. This ensures that the system serves the highest-grade SSL certificate for each request for every non-Apache service.

Apache SSL certificates

Apache does not follow this logic. When a client requests an SSL certificate for a specific domain, Apache performs the following actions:

It establishes the virtual host that hosts the domain.
It responds with the certificate for that virtual host.

Note:

Apache cannot match a certificate directly with a domain, and offers the virtual host’s certificate even if the certificate does not match the domain. Apache serves the same certificate for any request that matches a given virtual host. Because of this limitation, Apache’s domain-indexed SSL storage differs from that of the other services.

For simplicity, cPanel & WHM only exposes a single set of API functions to install and remove SSL certificates. When a user or administrator installs an SSL certificate, that installation only applies to a specific Apache virtual host. This behavior impacts both Apache and services that support name-based SSL. After the Apache installation finishes, the system copies the certificate to Domain TLS for each domain on the virtual host that matches the certificate.

The system only copies the certificate to Domain TLS if the certificate passes OpenSSL’s validity check. This check occurs daily.
The system removes certificates from Domain TLS if they fail validation or are set to expire within one day.
Certificate removal follows the same pattern. The system removes Domain TLS entries for all domains on the virtual host that match the certificate.

Troubleshooting SSL certificates

If you experience issues with your SSL certificates, use our Troubleshoot SSL-Related Issues document to help solve those issues.