For cPanel & WHM version 68
What is SSL/TLS?
SSL performs several functions to help secure your server.
SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information that a visitor’s web browser transmits to a web server. Use these protocols to protect against electronic eavesdroppers. Protect all of the sensitive data (for example, credit card numbers, and login information) that you transmit over the Internet with SSL/TLS.
Both of these protocols initiate a “handshake,” during which your server and the user’s computer agree on specific conditions. These conditions include a set of public and private keys that the two computers use to encrypt and decrypt messages that they send during the secure session.
You can set up SSL/TLS for your server in the SSL/TLS interface (cPanel >> Home >> Security >> SSL/TLS). This interface allows you to configure how SSL/TLS certificates run on your server.
What is an SSL certificate?
An SSL certificate is an electronic document that uses the
.crt file extension. This document binds a public key to an identity that consists of an email address, a company, and a location. This electronic document is a key piece in an authentication process.
SSL certificates provide public information about the security of a domain, server, or service. There are two parts to a secure certificate. Both parts are important to protect sensitive data.
- Encryption — Encodes data to ensure that no one who intercepts the transmission can understand it.
- Identification verification — Ensures that you connect to the correct server.
What is a Certificate Authority (CA) bundle?
- Who issued it.
- Any certificates of the authority that issued it.
The "chain of trust" for the issuer.
A certificate authority can vouch for other certificate authorities, which results in a "chain of trust." In order for a certificate authority to sell certificates, another certificate authority must vouch for them.
- Certificate revocation lists (CRLs).
What is a CAA record?
A CAA (Certification Authority Authorization) record specifies which CAs may issue certificates for a domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the existing CAA records or add one for the desired CA.
For example, a CAA record for Comodo would resemble the following example, where
example.com represents the domain name:
Similarly, a CAA record for Let's Encrypt would resemble the following example, where
example.com represents the domain name:
For more information about a CA's requirements, read their documentation.
What are limitations of SSL/TLS?
SSL certificates review domain names literally. For example,
example.com are two different domains in relation to SSL.
How do I revoke an SSL certificate?
We do not support the revocation of certificates through cPanel & WHM at this time.
Which domains does AutoSSL add to the certificate first?
AutoSSL uses a sort algorithm to establish which domains to add to the certificate first. This sort order ensures that the system adds the domains that customers will most likely visit to the certificate first. For example, customers most likely intend to navigate to
This function assumes that all of the fully qualified domain names (FQDNs) resolve to the same virtual host.
This sort order ensures that the system adds the domains that users will most likely visit to the certificate first. The default sort algorithm prioritizes domains in the following order:
- Any FQDNs that the virtual host’s current SSL certificate secures
- The primary domain on the cPanel account and then its
- Each addon domain followed by its
mail.subdomains. For example: A cPanel user called
example(whose primary domain is
example.com), creates an addon domain called
foo.com. This addon domain, like all cPanel addon domains, exists on a separate virtual host with a subdomain
foo.example.com. In this case, the system prioritizes
- Domains with fewer dots. For example, prioritize
- Shorter domains
- Apply lexicographical sort
Does AutoSSL cover proxy subdomains?
In cPanel & WHM version 64 and later, AutoSSL adds proxy subdomains to the SSL certificate in accordance with the sort algorithm. For more information about proxy subdomains, read our Proxy Subdomains Explanation documentation.
AutoSSL only adds the
whm proxy subdomain to the SSL certificate for reseller accounts.
When does an AutoSSL cPanel-issued certificates expire?
A cPanel-issued AutoSSL certificate expires after 90 days. However, AutoSSL attempts to automatically replace that certificate before it expires.
What rate limits does Let's Encrypt impose?
cPanel & WHM ships with the cPanel (powered by Comodo) provider. To install the Let's Encrypt™ AutoSSL provider plugin, read our The Let's Encrypt Plugin documentation.
- Certificates that Let's Encrypt provides through AutoSSL can secure a maximum of 100 subdomains per domain (Apache virtual host).
- Let's Encrypt issues one certificate per domain, and issues a maximum of 20 certificates per week. Each certificate can secure up to 100 subdomains of the domain on the certificate.
- Let's Encrypt continues to issue up to 20 certificates per week, if you request more than 20 domain certificates.
- Let's Encrypt uses the domain's alias (parked domain), not the main domain, as the common name for AutoSSL. To use the main domain as the common name for AutoSSL, you must use cPanel or another AutoSSL provider. For more information, consult the Let's Encrypt Community Support page.
Why won't Let's Encrypt issue a certificate for a virtual host list (website)?
Let's Encrypt only issues a certificate five times per week to a specific set of domains before it blocks any further certificates for that set of domains.
To work around this rate limitation, create an alias to a domain in the virtual host list (website) so that Let's Encrypt interprets the virtual host as a new set of domains.
What is SNI support?SNI (Server Name Indication) support allows you to host multiple SSL certificates for different domains on the same IP add ress. At the start of the "handshake" process, SNI indicates the hostname to which the client connects. Users who are on shared servers that support SNI can install their own certificates without a dedicated IP address.
In order to experience the full benefit of SNI, your server must run an operating system that supports this functionality, such as CentOS 6.
What is a multi-domain or UC/SAN SSL certificate?Multi-domain certificates are SSL certificates that allow you to secure multiple, potentially unrelated domains with a single certificate. This includes UC/SAN certificates and wildcard certificates. Unified Communications/Subject Alternate Name (UC/SAN). Certificates are SSL certificates that allow you to specify a list of hostnames that the same certificate protects.
You must reissue these certificates each time that you add a new hostname.
What is a wildcard SSL certificate?
A wildcard certificate allows you to install the same certificate on any number of subdomains if they share an IP address. You can apply a wildcard certificate to services in the Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).
- For example, you can use a wildcard certificate for
*.example.comto securely connect to
www.example.com, but not to
rootuser may install a wildcard certificate on a collection of subdomains that are associated with a single root domain on multiple IP addresses. If this configuration uses multiple IP addresses, a user on the server must not own the
What is the difference between a wildcard and a webserver certificate?
Webserver certificates only allow you to secure a single domain. Wildcard certificates allow you to secure a domain and an unlimited number of subdomains. For example, if you wish to secure
blog.example.com, you can use a single wildcard certificate to do so. However, each subdomain requires its own dedicated IP address.
What is a shared SSL certificate? How do I install one?A Shared SSL Certificate is an SSL certificate that is installed on the server's hostname. If the server administrator enables the Apache mod_userdir Tweak, all of the users on that server can use a Shared SSL Certificate to access their sites securely via their user directories. For example:
After you install the certificate, set the certificate as shared in the Manage SSL Hosts interface (WHM >> Home >> SSL/TLS >> Manage SSL Hosts).
Self-signed SSL certificates
What is a self-signed SSL certificate?
A self-signed SSL certificate is an SSL certificate that does not verify the identity of the server. You can create your own self-signed SSL certificate in the interface (WHM >> Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request).
- A self-signed certificate has a label of “self-signed,” which is the equivalent of someone who claims that they are who they say they are.
- If you choose to use a self-signed SSL certificate, you can secure a connection to the site, but you cannot verify the identity of the site. As a result, browsers warn users about the authenticity of the server that they want to reach.
What is the difference between a self-signed certificate and a purchased SSL certificate?
Based on the needs of your website, you may decide to either create a self-signed certificate or purchase an SSL certificate. Because a purchased SSL certificate verifies the identity of the server, it is more secure.
- If your site only handles minimally sensitive data, it may be appropriate to create your own self-signed certificate.
- If your site handles extremely sensitive data (such as credit card information), purchase an SSL certificate to create a more trustworthy connection for your customers.
Can I get a free cPanel-signed SSL certificate for my cPanel DNSONLY server?
cPanel, Inc. does not offer free self-signed hostname certificates for cPanel DNSONLY servers.
How to troubleshoot an SSL installation
The following sections describe some common certificate installation issues and how to fix them:
My certificate will not install — I receive a message about a certificate/key mismatch.
If you receive the
modulus mismatch or
key file does not match the certificate error messages, then the private key that you entered did not generate the certificate that you wish to install. The correct private key may exist in a different file.
WHM may automatically complete the Private Key text box when you attempt to install a certificate. To properly install the certificate, paste the private key that you generated in the Private Key text box in the Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).
My certificate will not install — I receive a message about a dedicated IP.
Without Server Name Indication (SNI) enabled, SSL only allows one certificate per IP address. Because each cPanel account uses a single IP address, you can only assign one certificate per account. If you experience problems with a subdomain, assign a dedicated IP address to it, or enable SNI on the server.
For more information, read our Install an SSL Certificate on a Domain documentation.
My certificate installed, but my visitors receive warnings about a self-signed certificate.
The following behaviors are acceptable for self-signed certificates:
- Typically, browsers do not trust self-signed certificates, even though, in terms of security, they are acceptable.
- Because browsers do not trust these certificates, your visitors will see a warning message.
- If you do not want visitors to encounter this warning, purchase an SSL certificate from an SSL provider.
- If you choose to do this, do not remove the installed self-signed certificate. Instead, purchase and install the additional certificate in the Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain) to purchase the certificate and install it in addition to the existing certificate.
My certificate installed, but my visitors see a warning about a domain mismatch.
It is likely that you have a self-signed certificate or a signed certificate that does not match the domain name.
- This warning notifies visitors that the name on the certificate does not match the name of the domain that they tried to reach.
- This should not be a security issue when you log in to a site's cPanel interface.
- Before they proceed, visitors can check to make sure that the SSL certificate pertains to the domain of the correct host.
- Visitors who are concerned about security should contact the host to make sure it is safe to proceed.
To identify your hosting provider, enter your domain name at WhoIsHostingThis.com
My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.
If you have multiple sites that share an IP address but only one domain with an installed SSL certificate, you may have this problem. Apache cannot serve unsecured websites through a secure protocol.
For example, you may have the following setup:
|IP address||Domain||SSL status|
If this setup is similar to your shared IP address’ domain structure, expect the following behavior:
If you enter
https:// before a domain name, the browser uses the
HTTPS protocol, which is secure. If you enter
http:// before a domain name, the browser uses
HTTP, which is not secure.
|Protocol||IP address or domain||Apache will serve:|
|The default page redirect, or |
An error message.
Because Apache cannot serve an unsecured website with a secure protocol and there are no secure sites on the shared I P address, Apache serves an error message.
Because Apache cannot serve an unsecured site with a secure protocol, Apache defaults to the secure website on the shared IP address.
To allow visitors to visit an unsecured domain regardless of which type of protocol they enter, perform the following steps:
- Navigate to the Install an SSL Certificate on a Domain interface (WHM >> Home >> SSL/TLS >> Install an SSL Certificate on a Domain).
- Click Browse Certificates.
- In the Browse Account menu, select
- In the Certificate list, select the option for the server's hostname certificate.
- Click Use Certificate.
- In the IP Address (non-user domains only) menu, select the server's shared IP address.
- Click Install.
- Navigate to the Manage SSL Hosts interface (WHM >> Home >> SSL/TLS >> Manage SSL Hosts).
- In the Installed SSL Hosts table, click Make Primary in the appropriate row for the server's hostname.
- Navigate to the Include Editor interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Include Editor):
Select the Pre Virtual Host Include option.
Select the Apache version from the menu. We recommend that you select All Versions.
Enter the following text in the available text box:
- Click Update.
This example uses the following values:
IPADDRESSrepresents your server's IP address.
HOSTNAMErepresents your server's hostname.
SSLCERTIFICATEFILErepresents the full file path to your SSL certificate.
SSLCERTIFICATEKEYFILErepresents the full file path to your SSL certificate's key.
Visitors now can access unsecured sites, even if they use a secure protocol. For example, if
example.com is your default website, the system redirects a visitor who enters
https://22.214.171.124 in their web browser to
When I log in with https, I get a certificate mismatch warning. Is it okay to ignore this and log in?
Your web host likely uses a self-signed certificate, or a signed certificate that does not match your domain name. This warning exists to notify you that the name on the certificate does not match the name of the domain that you wish to visit.
Check to make sure that the SSL certificate is from a domain that belongs to your web host before you proceed. If you are concerned about security, contact your web hosting provider to confirm that you can safely proceed.
What do I do if my system fails and I do not have my Trustwave authentication data in WHM?
If you have suffered a serious drive failure, you may lose this data.
If you can access the old drive, the system stores your authentication data in the