How to Install an SSL Certificate on Apache, Nginx & cPanel (2026)
The first time I installed an SSL certificate on a live server, I stared at three separate files in a zip folder — a .crt, a .ca-bundle, and a .key — with absolutely no idea which went where. The CA's documentation was 14 tabs deep and written for someone who already knew what they were doing. Two hours and one temporary site outage later, HTTPS was live.
Free SSL Checker
After installation verify your certificate is served correctly end-to-end.
Try It Free →2 Configure Your Virtual Host
Open your site's VirtualHost config file. On Ubuntu it's typically in /etc/apache2/sites-available/yourdomain.conf. Edit or create a 443 block:
Save the file. On Ubuntu, enable the site if it isn't already:
3 Test the Config and Reload
Never reload Apache without testing the config first. One typo in the SSL block can take your site offline.
SSLCertificateChainFile directive was deprecated in Apache 2.4.8+. On newer installs, append your CA bundle to the end of your .crt file and point SSLCertificateFile at the combined file instead.
Option B: Install SSL on Nginx
Nginx handles the certificate chain differently from Apache — it expects the certificate and the intermediate chain in a single combined file. Let's build that first:
1 Combine Certificate and Chain
2 Configure the Server Block
Edit your Nginx server block, typically found in /etc/nginx/sites-available/yourdomain:
3 Test and Reload Nginx
Option C: Install SSL via cPanel
If you're on shared hosting, you won't have SSH access. cPanel handles SSL installation through a browser interface — no terminal needed.
1 Open SSL/TLS Manager
Log into cPanel, scroll to the Security section, and click SSL/TLS. Then click Manage SSL sites under the "Install and Manage SSL for your site (HTTPS)" heading.
2 Select Your Domain and Paste the Files
Choose your domain from the dropdown. You'll see three text boxes:
- Certificate (CRT) — paste the contents of your
.crtfile - Private Key (KEY) — paste your private key
- Certificate Authority Bundle (CABUNDLE) — paste the contents of your
.ca-bundlefile
Open each file in a text editor, select everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, and paste into the correct box.
3 Click Install Certificate
Hit Install Certificate. cPanel will validate the key matches the certificate and activate HTTPS. The whole process takes about 30 seconds.
Option D: Install SSL on Windows IIS
IIS requires the certificate and private key combined into a single PFX file. If your CA gave you separate .crt and .key files, you need to combine them first using OpenSSL (available via winget install ShiningLight.OpenSSL or Chocolatey).
1 Create a PFX File
Run this command in PowerShell (with OpenSSL in PATH) to combine your certificate and private key:
2 Import the PFX into Windows Certificate Store
Run PowerShell as Administrator:
3 Bind the Certificate to Your IIS Site
Alternatively, you can do this in the IIS Manager UI: select your site → Bindings → Add → Protocol: https, Port: 443, then choose the imported certificate from the SSL certificate dropdown.
Option E: Install SSL on macOS (Homebrew Apache / Nginx)
macOS ships with Apache built in, but Homebrew installs a more up-to-date version with better module support. Both use the same Apache VirtualHost syntax as Linux — only the file paths differ.
1 Install and Locate Configuration Files
2 Copy Certificate Files
3 Enable SSL and Configure the VirtualHost
In /opt/homebrew/etc/httpd/httpd.conf, uncomment the SSL module lines:
Then edit /opt/homebrew/etc/httpd/extra/httpd-ssl.conf and add a VirtualHost block — the syntax is identical to the Linux Apache config shown above, with your Homebrew paths substituted in. Then test and restart:
Setting Up the HTTPS Redirect
Installing the certificate only enables HTTPS — it doesn't automatically redirect visitors away from HTTP. You need to add a redirect rule, otherwise both http:// and https:// versions of your site will serve content, which is bad for both security and SEO.
Apache (.htaccess or VirtualHost):
Nginx (add a separate server block for port 80):
The 301 tells search engines the move is permanent, so they update their index to the HTTPS version and transfer any existing link authority.
Verify Your SSL Certificate is Working
Once you've reloaded the server, don't just open your browser and look for the padlock — that only tells you HTTPS is loading, not that the certificate chain is complete or that the configuration is strong.
Run your domain through the SSL Checker to get a full breakdown: certificate validity, expiry date, issuer chain, and whether the cert matches your domain. It surfaces problems that browsers silently accept — like a missing intermediate certificate that will break older mobile devices.
Also worth running is the TLS Scanner. It checks whether you've accidentally left weak protocols enabled (TLS 1.0, TLS 1.1) and flags known cipher vulnerabilities like POODLE or BEAST that a basic padlock check won't catch.
Common Problems After SSL Installation
Here are the errors that come up most often, and what's actually causing them:
SSL_ERROR_RX_RECORD_TOO_LONG (or blank page on port 443)
Apache is serving HTTP content on port 443 instead of HTTPS. The most common cause is that the SSL module isn't loaded, or your VirtualHost config didn't reload. Double-check with sudo apachectl -M | grep ssl.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Your SSLProtocol or ssl_protocols directive is too restrictive and the client can't negotiate a supported version. Make sure TLS 1.2 is included alongside TLS 1.3.
Certificate Works in Browser but Fails on Mobile
This is almost always a missing intermediate certificate. Older Android and iOS versions don't carry all root certificates locally and depend on the server to send the full chain. Use our SSL Checker — it shows "Chain Incomplete" when this is the case. Fix it by adding the CA bundle to your config.
Private Key Does Not Match Certificate
This happens when you generate a new CSR for a renewal but apply the new certificate against the old private key, or accidentally mix files from different domains. Use our Key Matcher to verify the key and certificate are a pair before editing any server config.
Mixed Content Warnings After HTTPS Is Active
Your page is loading over HTTPS but some assets (images, scripts, stylesheets) are still referenced with http:// URLs. The browser blocks or flags them. Search your HTML, CSS, and CMS settings for hardcoded http:// links and update them to https:// or protocol-relative // URLs.
Frequently Asked Questions
-
Do I need to restart or just reload the web server?
Reload is almost always sufficient and preferred — it applies the new config without dropping active connections. Usesystemctl reload apache2orsystemctl reload nginx. Only restart if a module change specifically requires it. -
My CA gave me a bundle file with multiple certificates inside. Is that normal?
Yes. Many CAs package the root and intermediate certificates together in one.ca-bundlefile. Apache and Nginx both handle this correctly when you point the chain directive at the bundle. You don't need to split it up. -
How long does an SSL certificate last?
As of 2024, the maximum validity period for publicly trusted SSL certificates is 398 days (just over 13 months). Let's Encrypt certificates are 90 days and auto-renew. Check your certificate's expiry date with the SSL Checker. -
Can I use the same certificate on multiple servers?
Yes, as long as the certificate covers the domain(s) in question. Copy the certificate and private key files to each server and configure them identically. For wildcard certificates, this is especially common. -
What's the difference between a certificate and a certificate chain?
Your certificate proves your domain identity. The chain (intermediate certificates) connects your certificate back to a root CA that browsers trust. Without the chain, some clients will reject the certificate even though the cert itself is valid. Read more in our guide on SSL certificate chains. -
I'm getting an error that says the certificate has already expired. I just installed it — what's wrong?
Check your server's system clock. If the server time is wrong, TLS handshakes will fail with expiry errors even on a fresh certificate. Rundateon the server and verify it matches the real time.
You're Done — Now Keep an Eye on Expiry
Getting HTTPS live is the first step. The part that catches people off guard is the certificate quietly expiring months later. When it does, browsers block your site with a hard error — no padlock, no click-through, just a red warning page.
Set a calendar reminder 30 days before your certificate expiry date. Or better yet, run periodic checks using our SSL Checker to keep tabs on the expiry date, chain validity, and configuration health. Catch issues before your users — or worse, Google — does.
Verify your SSL installation is correct
Run a full certificate check to confirm your chain is complete, expiry is set correctly, and no weak protocols are enabled.