Understanding cPanel SSL Certificate Management
SSL certificates protect data flowing between your website and visitors. Managing them properly in cPanel means understanding different certificate types and installation methods.
This cPanel SSL certificate management tutorial covers the complete workflow for SSL management on cPanel hosting servers.
You'll work with three main certificate types:
- AutoSSL for automatic Let's Encrypt certificates
- Manual Let's Encrypt installations
- Commercial certificates from trusted authorities
Each method fits different hosting scenarios and client needs.
Prerequisites and Access Requirements
Before starting, verify your setup meets these requirements:
- Root or reseller access to WHM (Web Host Manager)
- cPanel account with SSL/TLS management privileges
- Domain pointing to your server with correct A records
- Port 80 and 443 open on your server firewall
- Valid hosting package that supports SSL certificates
Most HostMyCode Managed VPS plans include cPanel with full SSL management capabilities.
Check your server's current SSL status before installing certificates.
Setting Up AutoSSL for Automated Certificate Management
AutoSSL automatically manages Let's Encrypt certificates for all domains on your cPanel server. Configure AutoSSL in WHM first, then enable it for individual accounts.
Log into WHM and navigate to SSL/TLS → Manage AutoSSL. Enable AutoSSL and select Let's Encrypt as your certificate provider:
AutoSSL Provider: Let's Encrypt
Certificate Coverage: All domains and subdomains
Renewal Window: 30 days before expiration
Notifications: Enable email alerts for failuresAutoSSL checks domain validation every few hours. It automatically renews certificates 30 days before expiration.
Monitor the AutoSSL log at /var/log/letsencrypt/letsencrypt.log for validation failures.
Enable AutoSSL for specific cPanel accounts by selecting the account in WHM → SSL/TLS → Manage AutoSSL → Enable for User.
This automatically provisions certificates for the primary domain and addon domains.
Manual Let's Encrypt Certificate Installation
Some domains need manual Let's Encrypt certificate installation. This happens when AutoSSL fails validation or you need specific certificate configurations.
Access the target cPanel account and navigate to Security → SSL/TLS → Let's Encrypt SSL.
Select your domain and click "Issue" to generate the certificate:
Domain: example.com
Email: admin@example.com
Include www: Yes
Validation Method: HTTP-01
Key Size: 2048 bitsLet's Encrypt performs domain validation by placing temporary files in your website's .well-known/acme-challenge/ directory.
Your web server must serve files from this location without redirects or authentication.
The certificate installs automatically after successful validation. You can view installation status and certificate details in SSL/TLS → SSL/TLS Status.
The certificate covers both example.com and www.example.com.
Troubleshooting Let's Encrypt Validation
Common validation failures include:
- Firewall blocking port 80 access to /.well-known/acme-challenge/
- Apache or Nginx redirects preventing challenge file access
- DNS not pointing to your server correctly
- Rate limiting from too many certificate requests
Check validation by accessing http://yourdomain.com/.well-known/acme-challenge/test manually before requesting certificates.
Installing Commercial SSL Certificates
Commercial SSL certificates from providers like Comodo, DigiCert, or Sectigo offer extended validation and wildcard options. These aren't available with Let's Encrypt.
Generate a Certificate Signing Request (CSR) in cPanel under SSL/TLS → Private Keys.
Create a new private key and CSR:
Key Size: 2048 bits
Domains: example.com,www.example.com
Country: US
State: California
City: San Francisco
Organization: Your Company
Department: IT Department
Email: admin@example.comSubmit the CSR to your certificate authority and complete their validation process.
You'll receive the signed certificate and intermediate certificates via email or download portal.
Install the commercial certificate in SSL/TLS → Certificates (CRT). Paste your certificate, private key, and certificate bundle:
Certificate (CRT): -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Private Key: -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----
Certificate Authority Bundle: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----The certificate bundle contains intermediate certificates that establish the trust chain to root certificate authorities.
Always include the complete bundle for proper browser compatibility.
Certificate Renewal and Monitoring
Set up monitoring to track certificate expiration dates and renewal status across all domains on your server.
Create automatic renewal checking with a daily cron job:
#!/bin/bash
# Check SSL certificate expiration
for domain in $(cat /etc/userdomains | cut -d: -f1); do
expiry=$(echo | openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -d= -f2)
echo "$domain expires: $expiry"
doneThis script checks expiration dates for all domains.
Integrate with your monitoring system or email alerts for certificates expiring within 30 days.
AutoSSL handles renewal automatically. Monitor the renewal process in WHM → SSL/TLS → Manage AutoSSL → View AutoSSL Log.
Failed renewals require manual intervention to resolve validation issues.
Wildcard Certificate Management
Wildcard certificates secure unlimited subdomains under a single certificate. They're useful for hosting providers managing many client subdomains.
Let's Encrypt wildcard certificates require DNS validation instead of HTTP validation.
Configure DNS-01 challenge in cPanel by adding TXT records to your domain's DNS zone.
For manual wildcard certificate requests, use the cPanel Terminal or SSH access:
certbot certonly --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d *.example.com -d example.comFollow the prompts to add required TXT records to your DNS zone.
The certificate covers both the root domain and all subdomains like mail.example.com, ftp.example.com, and any client subdomains.
SSL Performance and Security Optimization
Optimize SSL performance and security after certificate installation. Configure strong cipher suites and enable HTTP/2 support for better performance.
Update your Apache SSL configuration in WHM → Service Configuration → Apache Configuration → Include Editor → Post VirtualHost Include:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"This configuration enforces TLS 1.2+ protocols and uses strong ciphers. It also enables HSTS for enhanced security.
Test your SSL configuration at ssllabs.com to verify A+ ratings.
For comprehensive server security beyond SSL, check our cPanel hardening tutorial that covers WHM lockdown and service security.
Multi-Domain Certificate Management
Subject Alternative Name (SAN) certificates secure multiple unrelated domains under a single certificate. This reduces management overhead for hosting providers.
Generate SAN certificates by listing all domains in your CSR or Let's Encrypt request:
Domains: example.com, www.example.com, domain2.com, www.domain2.com, domain3.comSAN certificates work well for hosting providers managing multiple client domains. But consider the security implications.
If one domain is compromised, the certificate may need revocation affecting all domains.
Monitor SAN certificate limits. Let's Encrypt allows 100 names per certificate, while commercial providers vary.
Plan certificate architecture based on your domain portfolio and security requirements.
Certificate Backup and Disaster Recovery
Set up certificate backup procedures to enable fast recovery during server migrations or failures.
Back up SSL certificates and private keys from cPanel accounts:
#!/bin/bash
# Backup SSL certificates for all cPanel accounts
for user in $(cat /etc/trueuserdomains | cut -d: -f2 | sort -u); do
mkdir -p /backup/ssl/$user
cp -r /home/$user/ssl/ /backup/ssl/$user/
cp /var/cpanel/userdata/$user/*/ssl_* /backup/ssl/$user/ 2>/dev/null || true
doneInclude SSL certificates in your regular backup routine.
Store backups securely with encryption since private keys provide full access to encrypted communications.
For complete backup strategies including SSL certificates, review our cPanel backup tutorial with WHM backup configuration.
Managing SSL certificates across multiple domains requires reliable hosting infrastructure. HostMyCode's managed VPS hosting includes cPanel with full SSL management, AutoSSL support, and expert technical assistance for certificate troubleshooting.
Frequently Asked Questions
How often do AutoSSL certificates renew automatically?
AutoSSL attempts to renew Let's Encrypt certificates 30 days before expiration. The system checks for renewal opportunities every few hours and handles the entire process automatically without downtime.
Can I use wildcard certificates with cPanel AutoSSL?
AutoSSL does not support wildcard certificates automatically. Wildcard certificates require DNS validation which must be configured manually through the command line or cPanel's Let's Encrypt interface.
What happens if my commercial SSL certificate expires?
Expired certificates trigger browser security warnings and may prevent visitors from accessing your site. Monitor expiration dates and renew certificates at least 30 days before expiration to avoid service interruption.
How do I force HTTPS for all website traffic?
Enable "Force HTTPS Redirect" in cPanel's SSL/TLS interface, or add redirect rules to your .htaccess file. This automatically redirects all HTTP traffic to the encrypted HTTPS version of your site.
Can I install multiple certificates for the same domain?
cPanel allows only one certificate per domain at a time. To change certificates, remove the existing one and install the new certificate. The new certificate immediately replaces the old one for that domain.