For cPanel & WHM version 68
(WHM >> Home >> Service Configuration >> Manage Service SSL Certificates)
This interface allows you to manage certificates for your server's services. For example, you can manage certificates for the following services:
- Exim (SMTP).
- POP3 and IMAP.
- The cPanel services (cPanel & WHM and Webmail).
- Your FTP server.
- iOS Mail Push Notifications (APNs).
SSL certificates allow your web server to identify itself to the computers that access it.
You can use any of the following types of certificates to secure your server's services:
- A free cPanel-signed hostname certificate.
- A certificate that you obtained from a certificate authority (CA).
A self-signed certificate.
We recommend that you do not use self-signed certificates. They are not as secure as certificates from a CA. Any server could claim to be your server with a self-signed certificate because they do not use a third-party verification system. To remedy this, use certificates from a CA, which verifies that users are securely connected to your server.
- PKCS #12 (iOS APNs only).
For more information about how to generate or purchase a certificate, read our Generate an SSL Certificate and Signing Request documentation.
In cPanel & WHM version 64, we will attempt to automatically replace the default SSL certificate for any service besides Apache if that certificate does not match the server’s hostname. However, we will only automatically replace the certificate if that certificate is a one-year, cPanel-signed single domain, domain-validated (DV) certificate.
Free cPanel-signed certificate
cPanel, Inc. offers valid cPanel & WHM license holders a free signed certificate for the services on your server's hostname. This replaces the certificates for these services that meet any of the following conditions:
- Maintains a weak signature algorithm.
- Invalid (For example, your server's hostname must be valid and resolve in DNS).
- Expires in less than 25 days.
Your server automatically orders the certificate when the server runs the
upcp maintenance script, and then downloads and installs it when it becomes available.
When that signed certificate is less than 25 days from expiration, your server automatically orders a replacement free signed certificate. The server downloads and installs the certificate when it becomes available. Otherwise, if the signed certificate expires, the server installs a self-signed certificate, and then replaces that certificate with the free signed certificate when it is ready.
- If you create the
/var/cpanel/ssl/disable_auto_hostname_certificatetouch file, the system will no longer order, download, and install a free cPanel-signed hostname certificate.
- If you create the
/var/cpanel/ssl/disable_service_certificate_managementtouch file, the system disables all automatic replacement of expired service certificates. The system also disables notifications about expired or expiring service certificates.
- Your server must possess a valid hostname and resolve in DNS.
- Your server must possess a valid cPanel & WHM license.
- This system will replace a valid certificate from a CA if that certificate will expire within 25 days. Many customers prefer that their systems do not replace valid signed certificates. If you do not want the system to replace valid certificates from a CA, create the appropriate touch file as described above.
- cPanel, Inc. does not offer free cPanel-signed hostname certificates for cPanel DNSONLY servers.
CAA records in the domain's zone file restrict which CAs (Certificate Authority) may issue certificates for that domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the existing CAA records or add one for the desired CA. For example, a CAA record for Comodo would resemble the following example, where
example.comrepresents the domain name:
You can manage CAA records through WHM's Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone).
For more information about a CA's requirements, read their documentation.
Service SSL Certificates
The interface displays the following table, which lists the services on your server and the certificates for each service:
|Service||The service that the certificate secures.|
|Certificate Domains||The domain of the service that the certificate secures.|
The date on which the certificate expires.
|Certificate Key Size||The size of the key, in bits, that the system used to generate the certificate. Larger numbers result in more secure certificates.|
Reset a Certificate
This option uninstalls the current certificate for the service and replaces it with a new self-signed certificate.
To reset a certificate, perform the following steps:
Click Reset Certificate next to the service for which to reset the certificate.
Click Proceed to generate and automatically install the certificate.
- This option automatically erases an existing certificate from the service. If you replace a certificate from a CA with a self-signed certificate, users may see warnings because their client applications do not trust self-signed certificates.
- If your server meets the requirements to obtain a free cPanel-signed certificate, the server automatically orders one the next time that the
upcpmaintenance script runs. When the signed certificate becomes available, the server downloads and installs it.
This option displays details about the installed certificate for the service:
|Domains||The domain of the service that the certificate secures.|
Information about the CA that issued the certificate.
This column displays a warning message for self-signed certificates.
|Key Size||The size of the key, in bits, that the system used to generate the certificate. Larger numbers result in certificates that are more secure.|
The date on which the certificate expires.
Apply Certificate to Another Service
This option allows you to apply a certificate to multiple services. This is useful, for example, when you wish to apply a signed certificate for your server's main domain to other services on your server.
To apply a certificate to another service, perform the following steps:
- Click the appropriate Apply Certificate to Another Service link.
The interface will scroll down to the Install a New Certificate section. Select the checkboxes for the services for which to apply this certificate.
WHM automatically enters the details of the Install a New Certificate text boxes with the certificate's information.
Click Install to install the certificate to the selected services, or click Cancel to cancel the operation.
If you replace a certificate from a CA with a self-signed one, users may see warnings because their client applications do not trust self-signed certificates.
Install a New Certificate
This form allows you to install a new certificate that you can use to secure the services on your server.
To install a new certificate on your server, perform the following steps:
- To use a certificate that already exists on your server, click Browse Certificates. Select the services that you wish for the certificate to secure.
- Click Browse Account and select the username from the menu, or click Browse Apache.
- Select the certificate that you wish to use from the menu.
Click Use Certificate to use the certificate, or click Cancel to cancel the operation.
WHM automatically enters the certificate's information into the Install a New Certificate form.
Paste the contents of the Certificate file (
.crt) into the Certificate text box.
Click Autofill by certificate to search for the appropriate private key and CA bundle from cPanel's public CA bundle repository.
- Paste the contents of the Private Key file (
.key) into the Private Key text box.
- If you have a CA bundle, paste the contents of that bundle (
.cab) into the Certificate Authority Bundle text box.
- Click Install to install the certificate, or click Cancel to cancel the operation.
If you selected the
cpsrvddaemon, and the certificate has installed correctly, the interface will prompt you to restart the
cpsrvddaemon. Click Restart cpsrvd to restart the cPanel service daemon.
You must restart the
cpsrvddaemon each time that you install a new SSL certificate for a service.
iOS Mail push notifications
In cPanel & WHM version 64, we introduced support for the iOS Apple® Push Notification service (APNs). Use this interface to manage the certificate and key that your server uses to communicate with APNs. For more information about how to install this certificate, read our How to Set Up iOS Push Notifications documentation.