bg-tutorials

How to Install an SSL certificate on ISPConfig

In this tutorial, you will learn how to install an SSL certificate on ISPConfig. ISPConfig manages SSL per website: you open the site in the panel, go to its SSL tab, and paste the certificate, private key, and CA bundle into the matching fields. You can also let ISPConfig issue and auto-renew a free Let’s Encrypt certificate with a single checkbox. We cover both methods below.

Generate the CSR on ISPConfig

If you’ve already generated the CSR and received your certificate from the CA, skip the first section and go straight to the installation steps.

A Certificate Signing Request (CSR) is a block of encoded text containing details about your website and organization. The Certificate Authority needs it to issue your SSL certificate. You have two options:

If you generate the CSR inside ISPConfig, open the site’s SSL tab, fill in the state, country, and other organization fields, set SSL Action to Create Certificate, and save. ISPConfig writes the request into the SSL Request field and the matching private key into the SSL Key field. Copy the entire contents of the SSL Request field, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines, and paste it into your SSL order form.

Note: leave the auto-generated private key in the SSL Key field untouched until your certificate is issued. The certificate the CA returns only works with the exact key created alongside the CSR. If you’d rather skip buying a certificate and use a free, auto-renewing one, you don’t need a CSR at all: jump to the Let’s Encrypt section.

Install an SSL certificate on ISPConfig

After the Certificate Authority validates your request, it emails you the SSL files. Download the ZIP archive and extract it on your computer. You should have:

  • yourdomain.crt, your primary SSL certificate.
  • yourdomain.ca-bundle, the root and intermediate certificates (the CA bundle).
  • yourdomain.key, the private key generated with your CSR. If you created the CSR inside ISPConfig, this key is already in the SSL Key field and you can leave that field as it is.

Open each file with a plain-text editor (such as Notepad) so you can copy the contents. Then log in to the ISPConfig control panel and follow these steps:

  • From the top navigation, open Sites.
  • Click the domain name you want to secure.
  • Open the SSL tab. (If the SSL tab is missing, first enable SSL on the Domain tab and save.)
  • In the SSL Key field, paste your private key, including the —–BEGIN PRIVATE KEY—– and —–END PRIVATE KEY—– lines. If ISPConfig generated the CSR, the correct key is already here, so leave it unchanged.
  • In the SSL Certificate field, delete any pre-filled text and paste your primary certificate, including the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines. This is the file with the .crt extension.
  • In the SSL Bundle field, paste the full CA bundle (the chain of intermediate certificates). Copy and paste the entire contents of the .ca-bundle file.
  • Next to SSL Action, select Save Certificate, then click Save.

For reference, the certificate, key, and bundle you paste are PEM-encoded blocks. Each begins and ends with five dashes on either side of the label, like this:

-----BEGIN CERTIFICATE-----
MIIF...your certificate data...AB
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
MIIE...your private key data...cd
-----END PRIVATE KEY-----

That’s it. ISPConfig writes the certificate to the server and reloads the web server for you, so there’s no need to restart anything by hand. Your site is now reachable over HTTPS.

Free SSL with Let’s Encrypt

If you don’t need the organization validation or warranty of a paid certificate, ISPConfig can issue a free Let’s Encrypt certificate and renew it automatically. This is the simplest option for most websites because there’s no CSR, no files to paste, and no manual renewal. ISPConfig 3.2 and newer has Let’s Encrypt built in.

  • Open Sites and click the domain you want to secure.
  • On the Domain tab, tick the SSL checkbox and the Let’s Encrypt SSL checkbox.
  • Click Save. ISPConfig requests the certificate from Let’s Encrypt and installs it on the site.

Before you enable it, make sure the domain (and any www or subdomain aliases you tick) already points to this server in DNS and that port 80 is reachable from the internet. Let’s Encrypt validates the domain over HTTP before issuing, so issuance fails if the name doesn’t resolve to the server yet. Let’s Encrypt certificates are valid for 90 days, and ISPConfig renews them automatically before they expire, so once the checkbox is enabled you can leave it alone.

Test your SSL installation

After installing the certificate, run an SSL scan to confirm the chain is complete and catch any configuration errors or missing intermediates. The quickest check is to open your site with https:// and look for the padlock, but a scanner gives you the full picture. Use our SSL Checker for an instant status report.

If you have SSH access to the server, you can also read the certificate ISPConfig is serving directly from the command line. This prints the issuer and the validity dates of the live certificate:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates

Frequently Asked Questions

Where do I install an SSL certificate in ISPConfig?

Open Sites, click the domain you want to secure, and go to its SSL tab. Paste your private key, certificate, and CA bundle into the SSL Key, SSL Certificate, and SSL Bundle fields, set SSL Action to Save Certificate, and click Save. SSL is configured per website, not globally.

Do I need to paste the private key in ISPConfig?

Yes, if the certificate was issued from a CSR you generated outside ISPConfig, paste the matching private key into the SSL Key field. The certificate only works with the exact key created alongside its CSR. If you generated the CSR inside ISPConfig, the key is already in the SSL Key field, so leave it unchanged and just add the certificate and bundle.

What does the SSL Action dropdown do?

The SSL Action dropdown tells ISPConfig what to do when you save. Choose Create Certificate to generate a new CSR and key, Save Certificate to store the certificate, key, and bundle you pasted, or Delete Certificate to remove them. To install a certificate from your CA, select Save Certificate and click Save.

Do I need to restart the web server after installing the certificate?

No. When you click Save, ISPConfig writes the certificate and reloads the web server for you. If HTTPS still doesn’t respond after a minute, re-check that you pasted the key, certificate, and bundle into the correct fields and that the SSL checkbox is enabled on the Domain tab.

Should I use Let’s Encrypt or a paid certificate on ISPConfig?

Let’s Encrypt is free and renews automatically, which suits blogs, small sites, and subdomains. Choose a paid certificate when you need Organization or Extended Validation, a warranty, or a wildcard backed by a commercial CA. Let’s Encrypt enables from a checkbox on the Domain tab; a paid certificate is pasted into the SSL tab.

Why is the Let’s Encrypt SSL option failing in ISPConfig?

Let’s Encrypt verifies your domain over HTTP before issuing, so issuance fails if the domain doesn’t yet resolve to the server or if port 80 is blocked. Confirm the domain’s DNS points to this server and is fully propagated, make sure port 80 is open, and untick any alias that doesn’t resolve, then save again.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.