Page tree
Skip to end of metadata
Go to start of metadata

Overview

SSL/TLS (Secure Sockets Layer/Transport Layer Security) encrypts information between a visitor’s browser and a server. These protocols protect against electronic eavesdroppers. This also protects sensitive data (for example, credit card numbers and login information) that you transmit over the Internet.

Both of these protocols initiate a handshake, during which your server and the user’s computer agree on specific conditions. These conditions include a set of public and private keys that the two computers use to encrypt and decrypt messages that they send during the secure session.

  • You can set up SSL/TLS for your server and configure how SSL/TLS certificates run in cPanel's SSL/TLS interface (cPanel >> Home >> Security >> SSL/TLS).
  • cPanel, L.L.C. does not offer free signed or self-signed hostname certificates for cPanel DNSONLY™ servers.

Warning:

As of cPanel & WHM version 68, we only support Transport Layer Security (TLS) protocol version 1.2

  • We will only support applications that use TLSv1.2.
  • We strongly recommend that you enable TLSv1.2 on your server. 

SSL certificates

An SSL certificate is an electronic document that uses the .crt file extension. The certificate binds a public key to an identity that includes an email address, a company, and a location, and consists of the following parts:

  • Encryption — Encodes data to ensure that if someone intercepts the transmission, they cannot understand it.
  • Identification verification — Ensures that you connect to the correct server.

Notes:

  • SSL certificates review domain names literally. For example, www.example.com and example.com are two different domains in relation to SSL.
  • We do not currently support the revocation of certificates.

Certificate types

When you work with SSL, you may encounter the following types of SSL certificate:

  • Multi-domain certificates — Multi-domain SSL certificates allow you to secure multiple potentially-unrelated domains with a single SSL certificate. This includes Unified Communications/Subject Alternate Name (UC/SAN) certificates, which allow you to specify a list of hostnames that the same SSL certificate protects, and wildcard certificates.

    Note:

    You must reissue UC/SAN certificates each time that you add a new hostname.

  • Self-signed certificates — Self-signed SSL certificate do not verify the identity of the server, and they do not require a CA. You can create your own self-signed SSL certificate in WHM's Generate an SSL Certificate and Signing Request interface (WHM >> Home >> SSL/TLS >> Generate an SSL Certificate and Signing Request).

    Important:

    • Because self-signed certificates do not verify the site's identity, visitors' browsers will generally display a warning when they attempt to access the site.
    • Self-signed certificates may be appropriate if your website only handles minimally-sensitive data. If your website handles any sensitive data, we strongly recommend that you use a signed certificate.

  • Shared SSL certificates — Shared SSL certificates allow you to secure multiple domains with the same SSL certificate.
    • To use shared SSL certificates, you must enable Apache's mod_userdir module in WHM's Apache mod_userdir Tweak interface (WHM >> Home >> Security Center >> Apache mod_userdir Tweak). When you enable the mod_userdir module, users can access their sites securely via their user directories (for example, https://hostname.example.com/~username ). 
    • After you install a shared certificate, set the certificate as shared in WHM's Manage SSL Hosts interface (WHM >> Home >> SSL/TLS >> Manage SSL Hosts).
  • Wildcard certificates — Wildcard certificates allows you to install the same certificate on any number of subdomains if they share an IP address. For example, you can use a wildcard certificate for *.example.com to securely connect to mail.example.com and www.example.com but not to example.com.
    • You can apply a wildcard certificate to services in WHM's Manage Service SSL Certificates interface (WHM >> Home >> Service Configuration >> Manage Service SSL Certificates).
    • The root user may install a wildcard certificate on a collection of subdomains for a single root domain on multiple IP addresses. If this configuration uses multiple IP addresses, a user on the server cannot own the root domain.

SNI support

SNI (Server Name Indication) support allows you to host multiple SSL certificates for different domains on the same IP address. At the beginning of the handshake process, SNI indicates the hostname to which the client connects. Users on shared servers that support SNI can install their own certificates without a dedicated IP address.

Certificate authorities

Your Certificate Authority (CA) is the trusted third-party entity that issues your SSL certificates.

CA bundle files

Generally, when you purchase an SSL certificate, your CA will send you a CA bundle file. This file contains the following details about the SSL certificate:

  • The CA that issued the certificate.
  • Any certificates of the authority.
  • The chain of trust for the issuer.

    Note:

    A CA can vouch for other CAs, which results in a chain of trust. In order for a CA to sell certificates, another CA must vouch for them.

  • Certificate revocation lists (CRLs).

Browsers include a list of trusted certificate authorities, and they use the list to determine whether to trust a specific CA.

CAA records

A CAA (Certification Authority Authorization) record specifies which CAs may issue certificates for a domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. You can manage CAA records through WHM's Edit DNS Zone interface (WHM >> Home >> DNS Functions >> Edit DNS Zone) or through cPanel's Zone Editor interface (cPanel >> Home >> Domains >> Zone Editor). 

If conflicting CAA records already exist, you must either remove the current CAA records or add one for the desired CAA. For example, a CAA record for Comodo would resemble the following example, where example.com represents the domain name:

example.com.	86400	IN	CAA	0 issue "comodoca.com"

Similarly, a CAA record for Let's Encrypt would resemble the following example, where example.com represents the domain name:

example.com.	86400	IN	CAA	0 issue "letsencrypt.com"

AutoSSL

AutoSSL secures multiple domains with the assumption that all of the domains resolve to the same virtual host. A cPanel-issued AutoSSL certificate expires after 90 days. However, AutoSSL attempts to automatically replace that certificate before it expires.

Important:

  • You can use Comodo to secure up to 1,000 domains per certificate.
  • AutoSSL does not renew certificates that contain wildcard domains.
  • AutoSSL does not issue certificates for websites on suspended accounts. You must first activate the account in order for AutoSSL to issue a certificate.
  • In cPanel & WHM version 64 and later, AutoSSL adds proxy subdomains to the SSL certificate in accordance with the sort algorithm. For more information about proxy subdomains, read our Proxy Subdomains Explanation documentation.

AutoSSL sorting

AutoSSL uses a sort algorithm to establish which domains to add to the certificate first. This sort order ensures that the system adds the domains that customers will most likely visit to the certificate first. For example, customers most likely intend to navigate to example.com versus www.subdomain.example.com.

The default sort algorithm prioritizes domains in the following order:

  1. Any fully-qualified domain names (FQDNs) that the virtual host’s current SSL certificate secures.
  2. The primary domain on the cPanel account and its www. and mail. subdomains.
  3. Each addon domain and its www. and mail. subdomains. For example, the example cPanel user (whose primary domain is example.com), creates the foo.com addon domain. This addon domain, like all cPanel addon domains, exists on a separate virtual host with a subdomain. In this case, the system prioritizes foo.com over foo.example.com.
  4. Domains with fewer dots. For example, AutoSSL would prioritize foo.com over of www.foo.com.
  5. The wwwmailwhmwebmailcpanelautodiscover, and webdisk subdomains.

    Note:

    AutoSSL only adds the whm proxy subdomain to the SSL certificate for reseller accounts.

  6. Shorter domains.

Let's Encrypt

cPanel & WHM ships with the cPanel (powered by Comodo) provider. However, you can also install the Let's Encrypt™ AutoSSL plugin to add Let's Encrypt as a provider. For more information about the plugin, read our Let's Encrypt Plugin documentation.

Let's Encrypt uses the domain's alias (parked domain), not the main domain, as the common name for AutoSSL. To use the main domain as the common name for AutoSSL, you must use cPanel or another AutoSSL provider. For more information, consult the Let's Encrypt Community Support page.

Let's Encrypt issues one certificate per domain and can issue a maximum of 20 certificates per week.

  • Certificates that Let's Encrypt provides through AutoSSL can secure a maximum of 100 subdomains per domain.
  • Let's Encrypt only issues a certificate five times per week to a specific set of domains before it blocks any further certificates for that set of domains. To work around this rate limitation, create an alias to a domain in the virtual host list (website) so that Let's Encrypt interprets the virtual host as a new set of domains.

Additional documentation