- We introduced the Domain TLS feature in cPanel & WHM version 60.
- On cPanel & WHM version 60.0.X and earlier, this feature stores and manages all of the server's certificates.
- On cPanel & WHM version 60.0.X+1 and newer, this feature stores and manages only the server's verified certificates.
- The Domain TLS file structure may change in future versions.
We created the Domain TLS system to store and manage the server's verified certificates in a domain-indexed repository. This system also allows faster and more efficient management of SNI services for a user's domains. The system looks up the domain, finds the necessary certificate, and retrieves that certificate, key, and CA bundle for that domain name.
How Domain TLS works
Every time you install a certificate for Apache, the system also copies the certificate into the Domain TLS for each domain of the Apache virtual host that the certificate secures. So, if the certificate secures an Apache virtual host with five domains, Domain TLS contains five copies of the certificate.
As of cPanel & WHM version 60, Domain TLS handles SNI functionality for the following services:
cpsrvd— cPanel, WHM, and Webmail logins and interfaces.
cpdavd— Calendar, Contacts, and Web Disk services.
exim— Mail transfer and receiving services.
dovecot— Mailbox service.
We plan to expand Domain TLS to handle SNI functionality for more services in future versions.
Difference with Apache SSL certificate storage
Apache's SSL certificate storage groups domains into virtual hosts, which the cPanel interface refers to as "websites."
Domain TLS is a simple index which uses the domain name as a key and the certificate the domain uses as a value.
Also, most of cPanel & WHM treats the
www. subdomain as functionally equivalent to its parent domain (for example, the cPanel Store issues certificates for
example.com that automatically include the
www.example.com subdomain). Because TLS treats every domain as a separate entity, Domain TLS treats the
www. subdomain and parent domain as separate items, and stores each as a separate entry on the index.
Finally, Domain TLS does not contain any expired or invalid certificates that the Apache SSL certificate storage contains.
During the upgrade to cPanel & WHM version 60, servers will automatically copy current and valid certificates from the Apache SSL certificate storage to Domain TLS storage. Domain TLS does not copy expired or invalid certificates from Apache's SSL storage. As users install, manage, and delete certificates through cPanel & WHM user interfaces or API calls, the system automatically performs the necessary updates to the Domain TLS index and certificate storage.
We do not currently provide a user interface to manage Domain TLS. However, as more services use this feature for SNI, we may investigate the need for and value of such an interface.