Securing Your Site: Installing and Managing SSL/TLS Certificates (HTTPS)
An SSL/TLS certificate is essential for encrypting the connection between your user's browser and your website, protecting data and enabling secure HTTPS access. This guide covers the process of installing and managing these certificates within cPanel.
Part 1: Accessing the SSL/TLS Manager
- Log in to your cPanel account using your standard credentials.
- Navigate to the Security section on the cPanel home page.
- Click on the SSL/TLS link. This tool manages certificate signing requests (CSRs), private keys, and certificate installation.
Part 2: Installing the Certificate (Standard Method)
- If your host provides a free SSL solution (like AutoSSL or Let's Encrypt), look for the Manage AutoSSL link and ensure the service is active for your domain. This is the easiest and recommended method.
- If you purchased a certificate from a third party, click on the Manage SSL Sites link under the Installation section.
- Paste the Certificate (CRT) code provided by your issuer into the field labeled Certificate: (CRT). The system may attempt to auto-fill the other fields.
- If auto-filling fails, you may need to separately paste your Private Key (KEY) and the Certificate Authority Bundle (CABUNDLE), which contains intermediate certificates.
- Select the domain you are securing from the dropdown menu, ensuring the system links it to the correct key.
- Click the Install Certificate button to finalize the installation.
Part 3: Troubleshooting and Best Practices
**Advice on Forcing HTTPS:**
After successfully installing the SSL certificate, your site might still load on HTTP by default. To prevent visitors from seeing an insecure connection warning, you must enforce HTTPS. The best way to do this is by adding a permanent 301 redirect rule to your site's .htaccess file. This ensures all traffic is automatically routed to the secure version of your site.
**Handling Mixed Content Errors:**
If your site shows a partial lock icon or an insecure warning after installation, you likely have a Mixed Content error. This means the main page is loaded over HTTPS, but some resources (like images, CSS files, or JavaScript files) are still being loaded using insecure HTTP links.
**Solution:** You must audit your theme, plugins, and custom code to ensure all internal URLs use relative paths or are explicitly set to use HTTPS (e.g., changing "http://yourdomain.com/image.jpg" to "https://yourdomain.com/image.jpg"). Content Management Systems like WordPress often have plugins that can automatically fix these links in the database.
**Certificate Expiration:**
Free certificates (like those from AutoSSL) usually renew automatically, but manually installed certificates have fixed expiration dates (usually 1 year). Set a calendar reminder to renew any manually installed certificates at least two weeks before their expiration date to avoid service disruption and visitor warnings.
