← Back to Blog
tutorial

How to Install an SSL Certificate on Apache, Nginx & cPanel (2026)

The first time I installed an SSL certificate on a live server, I stared at three separate files in a zip folder — a .crt, a .ca-bundle, and a .key — with absolutely no idea which went where. The CA's documentation was 14 tabs deep and written for someone who already knew what they were doing. Two hours and one temporary site outage later, HTTPS was live.

🔒

Free SSL Checker

After installation verify your certificate is served correctly end-to-end.

Try It Free →

2 Configure Your Virtual Host

Open your site's VirtualHost config file. On Ubuntu it's typically in /etc/apache2/sites-available/yourdomain.conf. Edit or create a 443 block:

<VirtualHost *:443> ServerName yourdomain.com ServerAlias www.yourdomain.com DocumentRoot /var/www/yourdomain/public_html SSLEngine on SSLCertificateFile /etc/ssl/certs/yourdomain.crt SSLCertificateKeyFile /etc/ssl/private/yourdomain.key SSLCertificateChainFile /etc/ssl/certs/yourdomain.ca-bundle # Recommended: enforce TLS 1.2+ only SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5 ErrorLog ${APACHE_LOG_DIR}/yourdomain_ssl_error.log CustomLog ${APACHE_LOG_DIR}/yourdomain_ssl_access.log combined </VirtualHost>

Save the file. On Ubuntu, enable the site if it isn't already:

sudo a2ensite yourdomain.conf

3 Test the Config and Reload

Never reload Apache without testing the config first. One typo in the SSL block can take your site offline.

# Test for syntax errors sudo apachectl configtest # Should output: Syntax OK # Then reload (not restart) to apply without dropping connections sudo systemctl reload apache2
Apache on CentOS note: The SSLCertificateChainFile directive was deprecated in Apache 2.4.8+. On newer installs, append your CA bundle to the end of your .crt file and point SSLCertificateFile at the combined file instead.

Option B: Install SSL on Nginx

Nginx 1.14+

Nginx handles the certificate chain differently from Apache — it expects the certificate and the intermediate chain in a single combined file. Let's build that first:

1 Combine Certificate and Chain

# Combine your cert and CA bundle into one file cat yourdomain.crt yourdomain.ca-bundle > yourdomain_combined.crt # Move files to the right locations sudo cp yourdomain_combined.crt /etc/ssl/certs/ sudo cp yourdomain.key /etc/ssl/private/ sudo chmod 600 /etc/ssl/private/yourdomain.key

2 Configure the Server Block

Edit your Nginx server block, typically found in /etc/nginx/sites-available/yourdomain:

server { listen 443 ssl; listen [::]:443 ssl; server_name yourdomain.com www.yourdomain.com; ssl_certificate /etc/ssl/certs/yourdomain_combined.crt; ssl_certificate_key /etc/ssl/private/yourdomain.key; # Strong TLS configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Optional but recommended: HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; root /var/www/yourdomain/public_html; index index.html index.php; }

3 Test and Reload Nginx

# Test configuration sudo nginx -t # nginx: the configuration file /etc/nginx/nginx.conf syntax is ok # nginx: configuration file /etc/nginx/nginx.conf test is successful sudo systemctl reload nginx

Option C: Install SSL via cPanel

cPanel / WHM Shared Hosting

If you're on shared hosting, you won't have SSH access. cPanel handles SSL installation through a browser interface — no terminal needed.

1 Open SSL/TLS Manager

Log into cPanel, scroll to the Security section, and click SSL/TLS. Then click Manage SSL sites under the "Install and Manage SSL for your site (HTTPS)" heading.

2 Select Your Domain and Paste the Files

Choose your domain from the dropdown. You'll see three text boxes:

  • Certificate (CRT) — paste the contents of your .crt file
  • Private Key (KEY) — paste your private key
  • Certificate Authority Bundle (CABUNDLE) — paste the contents of your .ca-bundle file

Open each file in a text editor, select everything including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines, and paste into the correct box.

3 Click Install Certificate

Hit Install Certificate. cPanel will validate the key matches the certificate and activate HTTPS. The whole process takes about 30 seconds.

Let's Encrypt on cPanel: Many hosts now offer AutoSSL, which installs and renews Let's Encrypt certificates automatically. Check under cPanel → SSL/TLS → Manage AutoSSL. If it's available, it's the easiest path.

Option D: Install SSL on Windows IIS

Windows Server 2016+ IIS 10

IIS requires the certificate and private key combined into a single PFX file. If your CA gave you separate .crt and .key files, you need to combine them first using OpenSSL (available via winget install ShiningLight.OpenSSL or Chocolatey).

1 Create a PFX File

Run this command in PowerShell (with OpenSSL in PATH) to combine your certificate and private key:

openssl pkcs12 -export ` -out yourdomain.pfx ` -inkey yourdomain.key ` -in yourdomain.crt ` -certfile yourdomain.ca-bundle # You will be prompted to set an export password — note it down for the next step

2 Import the PFX into Windows Certificate Store

Run PowerShell as Administrator:

$password = ConvertTo-SecureString "yourExportPassword" -AsPlainText -Force Import-PfxCertificate ` -FilePath "C:\inetpub\ssl\yourdomain.pfx" ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $password # Get the thumbprint of the imported certificate: Get-ChildItem Cert:\LocalMachine\My | ` Where-Object {$_.Subject -like "*yourdomain*"} | ` Select-Object Thumbprint, Subject, NotAfter

3 Bind the Certificate to Your IIS Site

Import-Module WebAdministration # Add HTTPS binding to your site (replace "Default Web Site" with your site name) New-WebBinding -Name "Default Web Site" -Protocol https -Port 443 -HostHeader "yourdomain.com" # Assign the certificate (replace THUMBPRINT_HERE with the thumbprint from step 2) $thumbprint = "THUMBPRINT_HERE" $cert = Get-Item "Cert:\LocalMachine\My\$thumbprint" $binding = Get-WebBinding -Name "Default Web Site" -Protocol https -Port 443 $binding.AddSslCertificate($cert.Thumbprint, "My") # Verify Get-WebBinding -Name "Default Web Site"

Alternatively, you can do this in the IIS Manager UI: select your site → BindingsAdd → Protocol: https, Port: 443, then choose the imported certificate from the SSL certificate dropdown.

No config file to edit: Unlike Apache and Nginx, IIS stores SSL configuration in the Windows Certificate Store and Application Host Config — not in text files. The PowerShell commands above handle both, and the changes take effect immediately without a service restart.

Option E: Install SSL on macOS (Homebrew Apache / Nginx)

macOS 12+ Homebrew

macOS ships with Apache built in, but Homebrew installs a more up-to-date version with better module support. Both use the same Apache VirtualHost syntax as Linux — only the file paths differ.

1 Install and Locate Configuration Files

# Install Apache or Nginx via Homebrew (if not already installed) brew install httpd # Apache # OR brew install nginx # Nginx # Homebrew Apache config paths: # Main config: /opt/homebrew/etc/httpd/httpd.conf # SSL config: /opt/homebrew/etc/httpd/extra/httpd-ssl.conf # Default certs: /opt/homebrew/etc/httpd/ssl/ # Homebrew Nginx config paths: # Main config: /opt/homebrew/etc/nginx/nginx.conf # Sites: /opt/homebrew/etc/nginx/servers/

2 Copy Certificate Files

sudo mkdir -p /opt/homebrew/etc/httpd/ssl sudo cp yourdomain.crt /opt/homebrew/etc/httpd/ssl/ sudo cp yourdomain.key /opt/homebrew/etc/httpd/ssl/ sudo cp yourdomain.ca-bundle /opt/homebrew/etc/httpd/ssl/ sudo chmod 600 /opt/homebrew/etc/httpd/ssl/yourdomain.key

3 Enable SSL and Configure the VirtualHost

In /opt/homebrew/etc/httpd/httpd.conf, uncomment the SSL module lines:

# Uncomment these two lines in httpd.conf: # LoadModule ssl_module lib/httpd/modules/mod_ssl.so # Include /opt/homebrew/etc/httpd/extra/httpd-ssl.conf

Then edit /opt/homebrew/etc/httpd/extra/httpd-ssl.conf and add a VirtualHost block — the syntax is identical to the Linux Apache config shown above, with your Homebrew paths substituted in. Then test and restart:

# Test config httpd -t # Restart Homebrew Apache brew services restart httpd # For Nginx — syntax is identical to the Linux Nginx config above: nginx -t && brew services restart nginx

Setting Up the HTTPS Redirect

Installing the certificate only enables HTTPS — it doesn't automatically redirect visitors away from HTTP. You need to add a redirect rule, otherwise both http:// and https:// versions of your site will serve content, which is bad for both security and SEO.

Apache (.htaccess or VirtualHost):

# Add to .htaccess or inside the *:80 VirtualHost block RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx (add a separate server block for port 80):

server { listen 80; listen [::]:80; server_name yourdomain.com www.yourdomain.com; return 301 https://$server_name$request_uri; }

The 301 tells search engines the move is permanent, so they update their index to the HTTPS version and transfer any existing link authority.

Verify Your SSL Certificate is Working

Once you've reloaded the server, don't just open your browser and look for the padlock — that only tells you HTTPS is loading, not that the certificate chain is complete or that the configuration is strong.

Run your domain through the SSL Checker to get a full breakdown: certificate validity, expiry date, issuer chain, and whether the cert matches your domain. It surfaces problems that browsers silently accept — like a missing intermediate certificate that will break older mobile devices.

Also worth running is the TLS Scanner. It checks whether you've accidentally left weak protocols enabled (TLS 1.0, TLS 1.1) and flags known cipher vulnerabilities like POODLE or BEAST that a basic padlock check won't catch.

Common Problems After SSL Installation

Here are the errors that come up most often, and what's actually causing them:

SSL_ERROR_RX_RECORD_TOO_LONG (or blank page on port 443)

Apache is serving HTTP content on port 443 instead of HTTPS. The most common cause is that the SSL module isn't loaded, or your VirtualHost config didn't reload. Double-check with sudo apachectl -M | grep ssl.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Your SSLProtocol or ssl_protocols directive is too restrictive and the client can't negotiate a supported version. Make sure TLS 1.2 is included alongside TLS 1.3.

Certificate Works in Browser but Fails on Mobile

This is almost always a missing intermediate certificate. Older Android and iOS versions don't carry all root certificates locally and depend on the server to send the full chain. Use our SSL Checker — it shows "Chain Incomplete" when this is the case. Fix it by adding the CA bundle to your config.

Private Key Does Not Match Certificate

This happens when you generate a new CSR for a renewal but apply the new certificate against the old private key, or accidentally mix files from different domains. Use our Key Matcher to verify the key and certificate are a pair before editing any server config.

Mixed Content Warnings After HTTPS Is Active

Your page is loading over HTTPS but some assets (images, scripts, stylesheets) are still referenced with http:// URLs. The browser blocks or flags them. Search your HTML, CSS, and CMS settings for hardcoded http:// links and update them to https:// or protocol-relative // URLs.

Frequently Asked Questions

  • Do I need to restart or just reload the web server?
    Reload is almost always sufficient and preferred — it applies the new config without dropping active connections. Use systemctl reload apache2 or systemctl reload nginx. Only restart if a module change specifically requires it.
  • My CA gave me a bundle file with multiple certificates inside. Is that normal?
    Yes. Many CAs package the root and intermediate certificates together in one .ca-bundle file. Apache and Nginx both handle this correctly when you point the chain directive at the bundle. You don't need to split it up.
  • How long does an SSL certificate last?
    As of 2024, the maximum validity period for publicly trusted SSL certificates is 398 days (just over 13 months). Let's Encrypt certificates are 90 days and auto-renew. Check your certificate's expiry date with the SSL Checker.
  • Can I use the same certificate on multiple servers?
    Yes, as long as the certificate covers the domain(s) in question. Copy the certificate and private key files to each server and configure them identically. For wildcard certificates, this is especially common.
  • What's the difference between a certificate and a certificate chain?
    Your certificate proves your domain identity. The chain (intermediate certificates) connects your certificate back to a root CA that browsers trust. Without the chain, some clients will reject the certificate even though the cert itself is valid. Read more in our guide on SSL certificate chains.
  • I'm getting an error that says the certificate has already expired. I just installed it — what's wrong?
    Check your server's system clock. If the server time is wrong, TLS handshakes will fail with expiry errors even on a fresh certificate. Run date on the server and verify it matches the real time.

You're Done — Now Keep an Eye on Expiry

Getting HTTPS live is the first step. The part that catches people off guard is the certificate quietly expiring months later. When it does, browsers block your site with a hard error — no padlock, no click-through, just a red warning page.

Set a calendar reminder 30 days before your certificate expiry date. Or better yet, run periodic checks using our SSL Checker to keep tabs on the expiry date, chain validity, and configuration health. Catch issues before your users — or worse, Google — does.


Verify your SSL installation is correct

Run a full certificate check to confirm your chain is complete, expiry is set correctly, and no weak protocols are enabled.