SSL performs several functions to help secure your server.
SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information between a visitor’s browser and a server. These protocols protect against electronic eavesdroppers. This also protects sensitive data (for example, credit card numbers, and login information) that you transmit over the Internet with SSL/TLS.
Both of these protocols initiate a “handshake”, during which your server and the user’s computer agree on specific conditions. These conditions include a set of public and private keys that the two computers use to encrypt and decrypt messages that they send during the secure session.
You can set up SSL/TLS for your server in cPanel's SSL/TLS interface (cPanel >> Home >> Security >> SSL/TLS). This interface allows you to configure how SSL/TLS certificates run on your server.
An SSL certificate is an electronic document that uses the
.crt file extension. This document binds a public key to an identity that consists of an email address, a company, and a location. The authentication process relies on this essential electronic document.
SSL certificates provide public information about the security of a domain, server, or service. The certificate consists of the following two parts to protect sensitive data:
The "chain of trust" for the issuer.
A CA can vouch for other CAs, which results in a "chain of trust." In order for a CA to sell certificates, another CA must vouch for them.
A CAA (Certification Authority Authorization) record specifies which CAs may issue certificates for a domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the current CAA records or add one for the desired CAA.
For example, a CAA record for Comodo would resemble the following example, where
example.com represents the domain name:
example.com. 86400 IN CAA 0 issue "comodoca.com"
Similarly, a CAA record for Let's Encrypt would resemble the following example, where
example.com represents the domain name:
example.com. 86400 IN CAA 0 issue "letsencrypt.com"
For more information about a CA's requirements, read their documentation.
SSL certificates review domain names literally. For example,
example.com are two different domains in relation to SSL.
We do not support the revocation of certificates through cPanel & WHM at this time.
AutoSSL uses a sort algorithm to establish which domains to add to the certificate first. This sort order ensures that the system adds the domains that customers will most likely visit to the certificate first. For example, customers most likely intend to navigate to
This function assumes that all of the fully qualified domain names (FQDNs) resolve to the same virtual host.
This sort order ensures that the system adds the domains that users will most likely visit to the certificate first. The default sort algorithm prioritizes domains in the following order:
mail.subdomains. For example: A cPanel user called
example(whose primary domain is
example.com), creates an addon domain called
foo.com. This addon domain, like all cPanel addon domains, exists on a separate virtual host with a subdomain
foo.example.com. In this case, the system prioritizes
In cPanel & WHM version 64 and later, AutoSSL adds proxy subdomains to the SSL certificate in accordance with the sort algorithm. For more information about proxy subdomains, read our Proxy Subdomains Explanation documentation.
AutoSSL only adds the
A cPanel-issued AutoSSL certificate expires after 90 days. However, AutoSSL attempts to automatically replace that certificate before it expires.
cPanel & WHM ships with the cPanel (powered by Comodo) provider. To install the Let's Encrypt™ AutoSSL provider plugin, read our The Let's Encrypt Plugin documentation.
Let's Encrypt only issues a certificate five times per week to a specific set of domains before it blocks any further certificates for that set of domains.
To work around this rate limitation, create an alias to a domain in the virtual host list (website) so that Let's Encrypt interprets the virtual host as a new set of domains.
No. A wildcard domain appears with an asterisk (
*) before the domain name (for example,
*.example.com). AutoSSL does not renew certificates that contain wildcard domains.
No. AutoSSL does not issue certificates for websites on suspended accounts. You must first activate the account in order for AutoSSL to issue a certificate.
In order to experience the full benefit of SNI, your server must run an operating system that supports this functionality, (for example, CentOS 6).
You must reissue these certificates each time that you add a new hostname.
A wildcard certificate allows you to install the same certificate on any number of subdomains if they share an IP address. You can apply a wildcard certificate to services in WHM's Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).
*.example.comto securely connect to
www.example.com, but not to
rootuser may install a wildcard certificate on a collection of subdomains that are associated with a single root domain on multiple IP addresses. If this configuration uses multiple IP addresses, a user on the server must not own the
Webserver certificates only allow you to secure a single domain. Wildcard certificates allow you to secure a domain and an unlimited number of subdomains. For example, if you wish to secure
blog.example.com, you can use a single wildcard certificate to do so. However, each subdomain requires its own dedicated IP address.
After you install the certificate, set the certificate as shared in WHM's Manage SSL Hosts interface (WHM >> Home >> SSL/TLS >> Manage SSL Hosts).
A self-signed SSL certificate does not verify the identity of the server. You can create your own self-signed SSL certificate in WHM's interface (WHM >> Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request).
Based on the needs of your website, you may decide to either create a self-signed certificate or purchase an SSL certificate. Browsers consider a a purchased SSL certificate to be more secure because they verify the identity of the server.
cPanel, Inc. does not offer free signed or self-signed hostname certificates for cPanel DNSONLY™ servers.
The following sections describe some common certificate installation issues and how to fix them:
If you receive the
modulus mismatch or
key file does not match the certificate error messages, then the private key that you entered did not generate the certificate that you wish to install. The correct private key may exist in a different file.
WHM may automatically complete the Private Key text box when you attempt to install a certificate. To properly install the certificate, paste the private key that you generated in the Private Key text box in WHM's Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).
Without Server Name Indication (SNI) enabled, SSL only allows one certificate per IP address. Because each cPanel account uses a single IP address, you can only assign one certificate per account. If you experience problems with a subdomain, assign a dedicated IP address to it, or enable SNI on the server.
For more information, read our Install an SSL Certificate on a Domain documentation.
Self-signed certificates typically cause the following behaviors:
It is likely that your server contains a self-signed certificate or a signed certificate that does not match the domain name.
To identify your hosting provider, enter your domain name at
You may encounter this problem if your server hosts multiple sites that share an IP address but only one domain with an installed SSL certificate. Apache cannot serve unsecured websites through a secure protocol.
For example, your server uses the following setup:
|IP address||Domain||SSL status|
If this setup resembles your shared IP address’ domain structure, expect the following behavior:
If you enter
|Protocol||IP address or domain||Apache will serve:|
|The default page redirect, or |
An error message.
To allow visitors to visit an unsecured domain regardless of which type of protocol they enter, perform the following steps:
Visitors now can access unsecured sites, even if they use a secure protocol. For example, if
example.com is your default website, the system redirects a visitor who enters
https://220.127.116.11 in their web browser to
Your web host likely uses a self-signed certificate, or a signed certificate that does not match your domain name. This warning exists to notify you that the name on the certificate does not match the name of the domain that you wish to visit.
Ensure that the SSL certificate matches a domain that belongs to your web host before you proceed. If this still concerns you, contact your web hosting provider to confirm that you can safely proceed.
If you have suffered a serious drive failure, you may lose this data.
If you can access the old drive, the system stores your authentication data in the