The SSL Installation and Precedence Logic
Last modified: January 27, 2020
- We recommend this document for experienced systems administrators only.
We support Transport Layer Security (TLS) protocol version 1.2 and TLS version 1.3.
- We strongly recommend that you enable TLSv1.2 on your server. Some clients don’t support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
- We only support TLSv1.3 on systems that run cPanel & WHM version 86 or higher.
This document outlines how cPanel & WHM processes Secure Sockets Layer (SSL) certificate requests and how Apache processes SSL requests.
Name-based and virtual host match
Most SSL-enabled services that cPanel, L.L.C. deploys support simple name-based SSL. When a client requests an SSL certificate for a specific domain, the service performs one of the following actions:
- If the certificate exists, the service responds with a certificate that matches the requested domain.
- If no certificate exists, the the system uses the service’s default SSL certificate.
Apache SSL certificates
Apache does not follow this logic. When a client requests an SSL certificate for a specific domain’s SSL certificate, Apache performs the following actions:
- It establishes the virtual host that hosts the domain.
- It responds with the certificate for that virtual host.
For simplicity, cPanel & WHM only exposes a single set of API functions to install and remove SSL certificates. When a user or administrator installs an SSL certificate, that installation only applies to a specific Apache virtual host. This behavior impacts both Apache and services that support name-based SSL. After the Apache installation finishes, the system copies the certificate to Domain TLS for each domain on the virtual host that matches the certificate.
- The system only copies the certificate to Domain TLS if the certificate passes OpenSSL’s validity check. This check occurs daily.
- In cPanel & WHM version 66 and later, the system removes certificates from Domain TLS if they fail validation or are set to expire within one day.
- Certificate removal follows the same pattern. The system removes Domain TLS entries for all domains on the virtual host that match the certificate.
If your SSL certificate and key did not pair correctly, Apache cannot start with SSL enabled. To check whether they paired correctly, run the following commands, where
filename represents the certificate name:
Service-default SSL certificates
Non-Apache services use default SSL certificates that administrators can manage via WHM. These services only serve the default SSL certificate to the client if no certificate in Domain TLS matches the client’s requested domain.
In cPanel & WHM version 66 and later, when the administrator installs a service-default SSL certificate, the system compares this certificate with the contents of Domain TLS. For each domain on the default certificate, the system installs that new certificate to Domain TLS. The system only performs this action if an SSL certificate with higher-grade identity assurance does not already exist on Domain TLS. This ensures that the system serves the highest-grade SSL certificate for each request for every non-Apache service.