We recommend this document for experienced Systems Administrators only.
This document outlines how cPanel processes Secure Sockets Layer (SSL) certificate requests versus how Apache processes SSL requests.
Name-based versus virtual host match
Most SSL-enabled services that cPanel deploys support simple name-based SSL. When a client requests an SSL certificate for a specific domain, the service performs the following actions:
- Responds with a certificate that matches that requested domain.
- Or, if no such certificate exists, then the the system uses the service’s default SSL certificate.
Apache, however, does not follow this logic. When a client requests an SSL certificate for a specific domain’s SSL certificate, Apache performs the following actions:
- Establishes which virtual host hosts that domain.
- Presents the certificate for that virtual host.
Apache will offer the virtual host's certificate even if the certificate does not match the domain.
Apache cannot match a certificate directly with a domain. Apaches serves the same certificate for any request that matches a given virtual host. Because of this limitation, Apache’s domain-indexed SSL storage differs from that of the other services.
The other services’ domain-indexed SSL storage is referred to here as “Domain TLS".
For simplicity, cPanel & WHM only exposes a single set of APIs to install and remove SSL certificates. When a user or administrator installs an SSL certificate, that installation only applies to a specific Apache virtual host, (both in Apache and in services that support name-based SSL). After the Apache installation finishes, the system copies the certificate into Domain TLS for each domain on the virtual host that matches the certificate.
- The system will only copy the certificate into Domain TLS if it passes OpenSSL’s validity check.
- In cPanel version 66 and later, the system removes certificates from Domain TLS if they fail validation or set to expire within one day.
- This check occurs daily.
Certificate removal follows the same pattern. The system removes Domain TLS entries for all domains on the virtual host that match the certificate.
Service-Default SSL certificates
Non-Apache services use default SSL certificates that administrators can manage via WHM. These services will only serve their default SSL certificate to the client if no certificate in Domain TLS matches the client’s requested domain.
FTP is the only service that doesn’t support name-based SSL.
In cPanel version 66 and later, when the administrator installs a service-default SSL certificate, the system compares this certificate with the contents of Domain TLS. For each domain on the default certificate, the system will install that new certificate into Domain TLS. The system only performs this action if an SSL certificate with higher-grade identity assurance does not already exist on Domain TLS. This ensures that the highest-grade SSL certificate will be served for a given request for every service (other than Apache).