bg-tutorials

How to Install an SSL certificate on CWP

This tutorial shows you how to install an SSL certificate on CWP (Control Web Panel), the hosting control panel formerly known as CentOS Web Panel. You can install a certificate two ways: paste a certificate you bought from a Certificate Authority into the Manual Install tab, or let CWP issue and auto-renew a free Let’s Encrypt certificate with AutoSSL. We cover both below, plus where to buy the right certificate for your site.

We also recorded a video that walks you through the entire process. You can watch it, read the instructions below, or do both.

Generate the CSR code on CWP

If you’ve already applied for your SSL certificate and downloaded the SSL files, skip the CSR section and jump straight to the installation instructions.

A Certificate Signing Request (CSR) is a block of encoded text containing details about your organization and the domain you want to secure. The Certificate Authority needs it to issue your SSL certificate. You have two options:

Open the CSR file with a text editor and copy its entire contents into your SSL order form. CWP saves the matching private key automatically. You’ll find it in the Private Key tab of your CWP dashboard, stored in the /etc/pki/tls/private/ directory.

Note: If you’d rather skip buying a certificate and use a free, auto-renewing one, you don’t need a CSR at all. Jump to the AutoSSL (Let’s Encrypt) section.

Install the SSL certificate on CWP

After the Certificate Authority validates your request, it emails you the SSL files. Download the archive and extract it on your computer. You should have your certificate (a .crt file), the CA bundle (intermediate certificates), and the private key you generated with the CSR. Then follow the steps below.

  • Log in to your CWP admin area and click WebServer Settings in the left-hand navigation menu. (In older CWP versions this menu is labeled Apache Settings.)
  • From the expanded menu, select SSL Certificates, then switch to the Manual Install tab.
  • From the drop-down list next to Domain, choose the domain name you want to secure.
  • Copy the certificate code your CA sent you, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines, and paste it into the Certificate box. This code lives in the file with the .crt extension.
  • Paste the private key generated with your CSR into the Private Key box, including the —–BEGIN PRIVATE KEY—– header and —–END PRIVATE KEY—– footer.
  • Copy and paste the chain of intermediate certificates (the CA Bundle) into the Certificate Authority box. If you didn’t receive a CA bundle, click the Generate Intermediate Certificates button instead.
  • To confirm the certificate matches your private key, click Validate Certificate, then click Save.

For reference, the certificate and key you paste should look like the PEM-encoded blocks below. Each begins and ends with five dashes on either side of the label:

-----BEGIN CERTIFICATE-----
MIIF...your certificate data...AB
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIE...your private key data...cd
-----END PRIVATE KEY-----

Congratulations, you’ve successfully installed an SSL certificate on CWP. CWP applies the change to Apache for you, so there’s no need to restart the web server manually.

Free SSL with AutoSSL (Let’s Encrypt)

If you don’t need the extended validation or warranty of a paid certificate, CWP can issue a free Let’s Encrypt certificate and renew it automatically. This is the simplest option for most websites because there’s no CSR, no files to paste, and no manual renewal.

  • In the CWP admin area, open WebServer SettingsSSL Certificates and switch to the AutoSSL tab.
  • Select the domain (and its www alias, addon domains, or subdomains) you want to secure.
  • Click Install SSL. CWP requests the certificate from Let’s Encrypt and installs it on the domain.

Let’s Encrypt certificates are valid for 90 days, and CWP renews them automatically about 30 days before expiry, so once AutoSSL is enabled, you can leave it alone. For the panel’s own login URL, install a separate hostname SSL certificate from the same SSL Certificates screen.

Test your SSL installation

After installing the certificate, run an SSL scan to confirm the chain is complete and catch any configuration errors or vulnerabilities. The fastest check is to open your site with https:// and look for the padlock, but a scanner gives you the full picture. See our SSL checker for testing a certificate.

If you have SSH access to the server, you can also read the certificate CWP is serving directly from the command line:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates

This prints the certificate’s issuer and validity dates, confirming the right certificate is live.

Where to buy the best SSL certificate for CWP?

SSL Dragon is your source for all your SSL needs. We offer some of the lowest prices on the market across our entire range of SSL products, and we’ve partnered with the best SSL brands in the industry for strong security and dedicated support. All our SSL certificates are compatible with CWP.

To help you choose, we built a couple of handy tools: our SSL Wizard recommends the best certificate for your project.

Frequently Asked Questions

Is CWP the same as CentOS Web Panel?

Yes. Control Web Panel (CWP) is the current name for the panel that used to be called CentOS Web Panel. It was renamed after CentOS 7 reached end of life in June 2024; the panel now runs on RHEL-compatible distributions such as AlmaLinux and Rocky Linux. The SSL installation steps are the same regardless of which name your version uses.

Where do I install an SSL certificate in CWP?

In the CWP admin panel, open WebServer Settings (or Apache Settings in older versions) and select SSL Certificates. Use the Manual Install tab for a certificate you purchased, or the AutoSSL tab for a free Let’s Encrypt certificate.

Do I need to restart Apache after installing the certificate?

No. When you click Save in the Manual Install tab (or Install SSL in AutoSSL), CWP writes the configuration and reloads the web server for you. If HTTPS still doesn’t respond after a minute, re-check that you pasted the certificate, key, and CA bundle into the correct boxes.

What if I didn’t receive a CA bundle from my Certificate Authority?

In the Manual Install tab, leave the Certificate Authority box empty and click Generate Intermediate Certificates. CWP builds the correct intermediate chain for you. Installing without a complete chain causes “certificate not trusted” errors in some browsers, so don’t skip this step.

Where is my private key stored in CWP?

When you generate a CSR in CWP, the matching private key is saved automatically in the /etc/pki/tls/private/ directory and shown in the Private Key tab of your dashboard. Copy it from there to paste into the Manual Install form.

Should I use AutoSSL or a paid certificate?

AutoSSL (Let’s Encrypt) is free and renews automatically, which is ideal for blogs, small sites, and subdomains. Choose a paid certificate when you need Organization or Extended Validation, a warranty, longer support, or a wildcard backed by a commercial CA. Both install through the same SSL Certificates screen in CWP.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.