bg-tutorials

How to Generate a CSR in WHM

This guide shows you how to generate a CSR in WHM (Web Host Manager), the server-level control panel that sits above the individual cPanel accounts.

WHM creates the CSR, the matching private key, and a self-signed certificate in one step, then stores all three in the SSL Storage Manager for retrieval. The same form works for single-domain, wildcard, and multi-domain (SAN) certificates.

You must be logged in as the root administrator (or a reseller with the right ACL) to reach the SSL menus. If you only have access to a single cPanel account, follow the cPanel CSR guide instead.

Generate the CSR in WHM

If you already generated your CSR with another tool, skip to the WHM SSL installation instructions. Otherwise, follow the steps below. The labels match the current cPanel & WHM interface (v136 RELEASE tier and v110 Extended Lifecycle Support in mid-2026).

Step 1: Open the SSL form

  1. Log in to your WHM dashboard.
  2. In the search box at the top left, type SSL.
  3. Under the SSL/TLS group, click Generate an SSL Certificate and Signing Request.

This single form produces three artifacts: the CSR you send to your Certificate Authority, the matching private key, and a self-signed certificate. You only need the CSR and the key. The self-signed certificate is created automatically but is not trusted by browsers and is safe to ignore.

Step 2: Choose a key type

At the top of the form, the Key section controls how the private key is created:

  • Generate a new 2,048 bit key (recommended for most sites). WHM creates a fresh RSA-2048 private key, pairs it with the CSR, and stores the key in the SSL Storage Manager. RSA-2048 is the CA/Browser Forum baseline and the size every CA and client supports.
  • Generate a new 4,096 bit key. Allowed by every public CA, but it doubles handshake CPU cost without a meaningful security gain over RSA-2048 for public TLS. Pick it only when an internal policy requires it.
  • Use an existing key. Pick this if you already created a key in WHM and want to reuse it, for example to issue a replacement certificate without rotating the key. Recent WHM releases also list ECDSA (elliptic curve) keys here if you have any.

Leave the default unless you have a specific reason to change it.

Step 3: Enter the domain(s) you want to secure

In the Domains field, enter the Fully Qualified Domain Name (FQDN) you want the certificate to cover. Enter one hostname per line for multi-domain certificates, or use a wildcard prefix for a wildcard. For example:

www.example.com

If you ordered a different certificate type, adjust the entry:

  • Wildcard certificate: put an asterisk in front of the apex domain to cover every first-level subdomain. For example: If you need both the apex and the wildcard on one certificate, list both:
    *.example.com
    example.com
    *.example.com
  • Multi-domain (SAN) certificate: enter every hostname the certificate must cover, one per line. WHM writes them into the CSR as Subject Alternative Names. For example:
    www.example.com
    example.com
    shop.example.com
    mail.example.com

The first hostname becomes the certificate’s Common Name; the rest go into the SAN extension. List only hostnames you actually control and intend to validate with the CA.

Step 4: Fill in the organization details

Complete the remaining fields. For a Domain Validation (DV) certificate these values are not verified, but the CA still requires them, so fill them out accurately so the issued certificate looks correct to anyone who inspects it. For an Organization Validation (OV) or Extended Validation (EV) certificate, the CA cross-checks them against public business registries, and any mismatch delays issuance.

  • City: the full name of the city where your organization is registered, for example Seattle. Do not abbreviate.
  • State: the full name of the state, province, or region, for example Washington. Do not abbreviate.
  • Country: from the drop-down, select the country where the organization is legally based.
  • Company Name: the official legal name of the business that owns the domain (for example, GPI Holding LLC). For a DV certificate ordered by an individual, enter your full name. Do not enter the domain name here.
  • Company Division (Organizational Unit): the CA/Browser Forum has deprecated this field in public TLS certificates, so most CAs strip it from the issued certificate. Leave it blank or enter NA.
  • Email: a contact address for the request. Modern public TLS certificates do not carry the email in the Subject, but the CA may use it for order correspondence. If you tick the WHM checkbox “When complete, email me the certificate, key, and CSR”, this is also the address WHM sends them to.
  • Passphrase: leave blank. A passphrase here is stored unencrypted alongside the request and serves no security purpose; most CAs reject CSRs that include one. Skip it unless your CA has explicitly asked for one.
  • Description: optional, for your own records. Leave it blank or note something like www.example.com 2026 renewal.

Step 5: Create the request

Double-check the form, then click Create. WHM displays the encoded CSR, the matching private key, and a self-signed certificate in three text boxes. The CSR block looks like this:

-----BEGIN CERTIFICATE REQUEST-----
MIIC2zCCAcMCAQAwgZUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
...base64 content of your CSR...
EE9aJDxhWjEFqYdxPpJv3yhT/4M3xZJP0YuVqYU3MA==
-----END CERTIFICATE REQUEST-----

Select the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines (each marker has five hyphens on either side), and copy it. Paste it into the CSR field when you order or reissue your certificate with your Certificate Authority. Before you submit, sanity-check the CSR with our CSR Decoder to confirm the common name, SAN list, key size, and signature algorithm are what you expect.

Step 6: Save the private key

The private key is the secret half of your certificate. You need it later to install the issued certificate, and only you should ever have a copy. WHM keeps it in two places so you can retrieve it without re-running the form:

  • In the WHM interface, under SSL/TLS > SSL Storage Manager. Click the magnifying glass next to your key to view it, or the download icon to save it as a file.
  • On disk, under /var/cpanel/ssl/system/ on the server, with the CSR in the csrs/ subfolder, the certificate in certs/, and the private key in keys/.

Do not delete the key while the certificate is still in use. If you lose it, you cannot install the issued certificate, and you will need to reissue with a fresh CSR.

After the CA validates the CSR and issues the certificate, continue with the WHM SSL installation instructions.

When you do not need a CSR: AutoSSL

If you only need a Domain Validated certificate, WHM can issue and renew one for free with AutoSSL, and AutoSSL handles the CSR and private key for you in the background. Open SSL/TLS > Manage AutoSSL, choose a provider on the Providers tab, accept its Terms of Service, and click Save. AutoSSL then issues certificates for the accounts you enable and renews them before they expire.

The default provider has changed. Through cPanel & WHM version 116, the default was the cPanel provider powered by Sectigo, with Let’s Encrypt as a one-click alternative. cPanel deprecated the Sectigo provider in version 118 and removed it entirely in version 120 (late 2024). Let’s Encrypt is now the only built-in AutoSSL provider and the recommended choice on every supported release.

Generate a CSR by hand only when you have purchased a certificate (Organization Validation, Extended Validation, wildcard, or multi-domain across accounts) or when your CA requires a CSR for reissue.

Frequently Asked Questions

Where does WHM store the CSR and private key after I generate them?

WHM stores both in the SSL Storage Manager (WHM > SSL/TLS > SSL Storage Manager), grouped together with the self-signed certificate so you can find them by domain. On disk, the files live under /var/cpanel/ssl/system/, with the CSR in the csrs/ subfolder, the certificate in certs/, and the private key in keys/. You do not need to copy them anywhere; WHM reads them from there when you install the issued certificate.

How do I create a CSR for a wildcard or multi-domain certificate in WHM?

Use the same form. For a wildcard, enter the hostname with an asterisk in front of the apex domain, for example *.example.com. If you need both the apex and the wildcard on one certificate, list both lines (example.com and *.example.com). For a multi-domain (SAN) certificate, list every hostname in the Domains box one per line; WHM writes them into the CSR as Subject Alternative Names. Only list hostnames you actually control and are willing to validate with the CA.

What is the self-signed certificate WHM shows me on the result page?

WHM generates a self-signed certificate at the same time as the CSR so you have something to test with locally if you want. It is not trusted by browsers and is not what you serve in production. Save the CSR (to send to the CA) and the private key (to install the issued certificate later), and ignore the self-signed certificate.

Should I set a passphrase on the WHM CSR?

No. The WHM CSR Passphrase field stores the passphrase unencrypted alongside the request, so it adds no real security and most Certificate Authorities reject CSRs that contain one. Leave it blank unless your CA has explicitly told you to set one.

Do I need a CSR if I plan to use AutoSSL?

No. AutoSSL issues free Domain Validated certificates automatically and handles the CSR and private key for you. Generate a CSR by hand only when you are buying a paid certificate (Organization Validation, Extended Validation, wildcard, or multi-domain across accounts) or when your CA requires a CSR for a reissue.

How do I generate a CSR for the WHM server hostname certificate?

Use the same form: in WHM, go to SSL/TLS > Generate an SSL Certificate and Signing Request, and enter the server hostname (for example server.example.com) in the Domains field. Submit the resulting CSR to your CA, then install the issued certificate from SSL/TLS > Manage Service SSL Certificates. On most modern installs you can skip this step entirely: enable AutoSSL and it will issue and renew the hostname certificate automatically, as long as the hostname is a fully qualified domain name that resolves to the server’s main public IP address.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.