This guide shows you how to install an SSL certificate on the Alpha Five application server and on its current successor, the Alpha Anywhere Classic Application Server. Alpha Software renamed Alpha Five to Alpha Anywhere at version 12, and the SSL settings panel is essentially the same in both: an SSL tab in the Application Server Settings window where you point the server at your certificate file, private key, and certificate chain.
If you maintain a legacy Alpha Five v10 or v11 deployment, the steps below match your Application Server Settings window. If you are on current Alpha Anywhere, the same SSL tab still applies, plus modern options for the minimum TLS protocol version and HTTP Strict Transport Security (HSTS) that we cover near the end.
Generate the CSR code on Alpha Five
If you have already generated your CSR and received the issued SSL files from your Certificate Authority, skip ahead to Install the SSL certificate on Alpha Five.
The CSR (Certificate Signing Request) is a block of encoded text that contains the details of the domain you want to secure and a public key. The Certificate Authority uses the CSR to issue a matching certificate. You have two options:
- Generate the CSR automatically with our CSR Generator. This is the simplest path if you do not need the private key to be generated on the server itself.
- Generate the CSR on the Alpha server, where the private key never leaves the machine, by following our tutorial on how to generate a CSR on Alpha Five. The Application Server has a built-in Generate a CSR (Certificate Signing Request) button on the SSL tab that creates the CSR and the matching private key for you.
Submit the CSR during your order. The CA validates the request and, once approved, issues your certificate and emails the files to you. Continue with the installation below.
Install the SSL certificate on Alpha Five
After your CA issues the certificate, download the ZIP archive and extract its contents on the server. You should have at least three files: your primary certificate (typically your_domain_com.crt or .cer), the intermediate / CA bundle from the CA, and the private key created during CSR generation (the .key file).
Step 1: Open the SSL tab in Application Server Settings
- Launch the Alpha Application Server Control Panel (on Alpha Anywhere this is the Classic Application Server).
- Open Application Server Settings and select the SSL tab.
- Tick the Enable SSL (or Enable TLS/SSL) checkbox at the top of the tab.
By default the SSL listener uses port 443. If you change it (for example to 444 because port 443 is already in use), clients will need to include the port in the URL, such as https://example.com:444.
Step 2: Point the server at your certificate and private key
- Click the folder icon on the right of the SSL Certificate File box and browse to your server certificate (the your_domain_com.crt file the CA issued). The Application Server expects an X.509 PEM-encoded certificate; if the CA only lists server compatibility instead of formats, choose the Apache-compatible certificate.
- Click the folder icon in the Private Key File box and browse to the private key you created during CSR generation.
- If you set a passphrase on the key, enter it in the Private Key Password box. Leave it blank if the key has no passphrase.
Step 3: Build and assign the certificate chain
Public certificates rely on a trust chain back to a root CA. If your CA sent more than one intermediate certificate file (commonly named with suffixes such as CA1, CA2, or intermediate.crt), concatenate them into a single PEM file in chain order, leaf-closest first. Open each file in a plain text editor and paste them back-to-back into one new file:
-----BEGIN CERTIFICATE-----
<contents of first intermediate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<contents of second intermediate (root-closest)>
-----END CERTIFICATE-----
Save the combined file with a clear name, for example yourCAname-chain.pem. In the SSL tab, click the folder icon next to Certificate Chain File and select that combined file. Leave the chain field empty if your CA shipped a single bundled intermediate file. Click Save when done.
On Linux or macOS you can produce the same combined file in one command:
cat intermediate1.crt intermediate2.crt > yourCAname-chain.pem
Step 4: Restart the Application Server
Restart the Alpha Application Server (or the service if you are running it as a Windows service) so the new TLS settings take effect. Open https://yourdomain.com in a browser to confirm the padlock is present and the certificate matches your hostname.
Harden the configuration (Alpha Anywhere)
Current Alpha Anywhere builds add two settings to the SSL tab that you should review:
- Minimum Protocol Version. Set this to TLS 1.2 at a minimum. TLS 1.0 and 1.1 are deprecated by every major browser and CA. If your client base supports it, set the minimum to TLS 1.3 for the strongest negotiation. Note that selecting TLS 1.3 disables TLS 1.2; older clients that do not support 1.3 will fail to connect, so verify your audience first.
- HTTP Strict Transport Security (HSTS). Enable HSTS so browsers refuse to fall back to HTTP. Set a Maximum Age in seconds (start small while you test, then raise to 31536000, or one year, for production). Tick Include subdomains only when every subdomain is served over HTTPS, and tick Preload only if you intend to submit the domain to the browser preload lists.
For public deployments you can also place a modern reverse proxy such as nginx, Apache, IIS, or Caddy in front of the Alpha Application Server. Terminate TLS on the proxy and forward plain HTTP to the Application Server on the loopback interface. This pattern simplifies certificate rotation, gives you ACME-based renewal with Let’s Encrypt, and keeps the Application Server isolated from the public network.
Test the SSL installation
After installing, open your site over https:// and check the padlock, then run a deeper external scan with our SSL Checker. The report flags chain problems, hostname mismatches, expired or self-signed certificates, and weak protocol or cipher choices, so you catch issues before users do.
You can also query the listener directly from the command line to confirm the certificate the server presents and the negotiated protocol:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null \
| openssl x509 -noout -issuer -subject -dates
Frequently asked questions
Alpha Software rebranded Alpha Five to Alpha Anywhere at version 12. Active development happens on Alpha Anywhere, which still ships the same Classic Application Server engine and the same SSL settings tab documented above. Legacy Alpha Five v10 and v11 deployments still work and accept current X.509 certificates, but for new installs use current Alpha Anywhere so you get the modern Minimum Protocol Version and HSTS options.
An X.509 certificate in PEM format (a base64-encoded text file that starts with —–BEGIN CERTIFICATE—–). If your Certificate Authority lists server platforms instead of formats, choose the Apache-compatible download. PFX or PKCS#12 bundles are not consumed directly; if that is all you have, convert the bundle to a separate certificate and key file first, for example with our SSL conversion tools.
Browsers and API clients build a trust chain from your server certificate up to a root CA they already trust. If the intermediate certificates between your certificate and that root are missing, some clients (especially mobile apps, older browsers, and command-line tools) will report an untrusted or incomplete chain even though the certificate itself is valid. Always populate the Certificate Chain File field with the intermediate(s) your CA provides.
Yes. The Alpha Application Server reads the TLS settings at startup, so restart the server (or its Windows service) after saving changes on the SSL tab. The same applies when you rotate or renew the certificate.
Yes, and for production it is the cleaner pattern. Terminate TLS on a modern reverse proxy and forward plain HTTP to the Alpha Application Server on the local loopback. The proxy handles HTTPS, HTTP-to-HTTPS redirects, HSTS, and certificate renewal (including ACME with Let’s Encrypt), while the Application Server focuses on the application itself.
Set Minimum Protocol Version to TLS 1.2 for the broadest compatibility, or TLS 1.3 for the strongest security if your audience uses modern browsers and clients. TLS 1.0 and 1.1 should not be used on any public-facing site. If you select TLS 1.3, test with the clients your users actually run before going live, since selecting 1.3 disables 1.2 on the listener.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


