This guide shows you how to install an SSL/TLS certificate on Plesk. Current Plesk releases ship under the Obsidian line (18.x), so the steps and menu labels below follow that interface. The flow has two phases: upload the issued certificate, the CA chain, and the private key into the certificate store, then assign that certificate to your site in Hosting Settings so Plesk actually serves it over HTTPS. Skipping the second phase is the most common reason a Plesk install “looks done” but the browser still shows the default certificate.
If you only need a free, auto-renewing certificate for a public-facing site, Plesk also includes a built-in Let’s Encrypt integration (the SSL It! extension). That path is covered at the end of this guide.
Generate the CSR
If you already have your issued certificate and private key, skip ahead to Install an SSL certificate on Plesk Obsidian.
To order a commercial SSL/TLS certificate you first need a Certificate Signing Request (CSR) and its matching private key. You have two options:
- Generate the CSR automatically with our CSR Generator. The private key is created in your browser, so save both the CSR and the private key right away; you will paste both into Plesk during the install.
- Generate the CSR inside Plesk itself by following our tutorial on how to generate a CSR in Plesk. Plesk creates and stores the private key for you, so you only paste the issued certificate and the CA chain later.
Copy the CSR block, including the opening and closing markers -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----, and submit it during your SSL order. After the Certificate Authority validates the request and issues the certificate, continue with the installation below.
Install an SSL certificate on Plesk Obsidian
The steps below apply to current Plesk Obsidian (18.x). The interface looks the same whether you are signed in as Server Administrator, Reseller, or Customer; only the top-level menu differs slightly (Server Administrators and Resellers see Domains, customer accounts see Websites & Domains).
Step 1: Open the SSL/TLS Certificates panel
- Sign in to Plesk.
- Open Domains (or Websites & Domains on a customer account) and select the domain you want to secure.
- Click SSL/TLS Certificates.
You will see the list of certificates already attached to this subscription. If you generated the CSR in Plesk, the entry you created during CSR generation is here and already holds the private key.
Step 2: Upload the certificate files
Click the name of the certificate you generated the CSR for (or click Add SSL/TLS Certificate if you created the CSR outside Plesk and need a fresh entry). Plesk shows three text boxes plus an upload section:
- Private key (*.key): the key that matches your CSR. Plesk pre-fills this if the CSR was generated in Plesk; otherwise paste the contents of your .key file.
- Certificate (*.crt): your issued server certificate, in PEM form, including the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----lines. - CA certificate (*-ca.crt): the intermediate CA chain (the .ca-bundle file the CA shipped). Without it, mobile browsers and many API clients will reject the chain.
You can either paste each block into its text box and click Upload Components, or use the file picker under Upload the certificate files and select the corresponding files, then click Upload Certificate. Either way, Plesk confirms the upload and lists the certificate as complete.
Step 3: Assign the certificate in Hosting Settings
This is the step most people forget. Uploading the certificate puts it in the store; assigning it in Hosting Settings is what makes the web server actually serve it.
- Return to the domain’s main page (Domains > example.com).
- Click Hosting & DNS, then Hosting Settings.
- Under Security, tick SSL/TLS support.
- From the Certificate drop-down, select the certificate you just uploaded.
- Click OK (or Apply).
Plesk reloads the web server configuration and the site begins serving HTTPS with the new certificate.
Step 4: Force HTTPS (recommended)
To redirect every visitor to the HTTPS version of your site, stay in Hosting Settings and tick Permanent SEO-safe 301 redirect from HTTP to HTTPS, then click OK. Plesk writes the redirect into the web server config for you, so you do not need to touch .htaccess or the Nginx config by hand.
Alternative: the Secure Your Sites shortcut
The SSL/TLS Certificates screen also has a Secure Your Sites (or Secure the Domain) button. Clicking it walks you through a single dialog that uploads the certificate files and assigns the certificate to the domain in one pass, replacing Steps 2 and 3 above. It is the same operation under the hood; use whichever flow you prefer.
Use the built-in Let’s Encrypt extension (free, auto-renewing)
Plesk Obsidian ships with the SSL It! extension, which issues and auto-renews free Let’s Encrypt certificates for any domain hosted on the server. There is no CSR to generate by hand and no files to copy around.
- Open the domain in Domains > example.com, then click SSL/TLS Certificates.
- Click Install under Let’s Encrypt.
- Enter the contact email, tick the host names you want covered (apex, www, mail, wildcard via DNS), and click Get it free.
SSL It! requests the certificate, installs it, assigns it to the domain (you do not need a separate Hosting Settings step), and re-issues it automatically before expiry. Commercial certificates from a public CA are still the right choice when you need OV or EV validation, a longer warranty, or features SSL It! does not cover.
Secure the Plesk panel and mail server
The steps above install a certificate on a hosted website. The Plesk panel itself (the URL you log in to, usually on port 8443) and the mail services (IMAPS, POP3S, SMTPS) use a separate server-level certificate. To install one there:
- Sign in as Server Administrator and go to Tools & Settings > SSL/TLS Certificates.
- Add the certificate the same way (upload the private key, the certificate, and the CA chain, or upload the files).
- Once the certificate is in the server repository, scroll to the bottom of Tools & Settings > SSL/TLS Certificates and use the Secure Plesk and Secure mail server drop-downs to bind the new certificate to those services.
Plesk applies the change without a reboot. After the panel reloads, the login URL serves the new certificate.
Test the SSL installation
After the certificate is uploaded and assigned, open your site over https:// and check that the browser shows the padlock with no warnings, then run a deeper check with our SSL Checker. It reports the certificate details, the chain, expiry, protocol support, and any issues a casual padlock-check will miss (for example, a missing intermediate that breaks mobile clients).
Frequently Asked Questions
For a hosted website, open Domains (or Websites & Domains as a customer), select the domain, then click SSL/TLS Certificates. For the Plesk control panel and mail services, sign in as Server Administrator and go to Tools & Settings > SSL/TLS Certificates.
The most common cause is that the new certificate was uploaded but never assigned. Go to the domain’s Hosting Settings (under Hosting & DNS), tick SSL/TLS support, pick the new certificate from the Certificate drop-down, and click OK. Hard-refresh your browser afterwards, since the old certificate is often cached for the session.
Yes. Plesk Obsidian ships the SSL It! extension, which issues free Let’s Encrypt certificates and renews them automatically. Open SSL/TLS Certificates on the domain, click Install under Let’s Encrypt, choose the host names to cover, and confirm. Commercial certificates from a public CA are still the right choice when you need OV or EV validation, a wildcard issued via HTTP, or a longer warranty.
Renewing means issuing and installing a fresh certificate. Generate a new CSR (either in Plesk or with our CSR Generator), order the renewal, then upload the new certificate and CA chain over the existing entry on the SSL/TLS Certificates screen. The assignment in Hosting Settings stays the same, so you only need to re-confirm it if the certificate name changed. Public TLS certificates are capped at about a year, so plan to repeat this each year or automate renewals with ACME.
No. Once you upload the certificate and assign it in Hosting Settings, Plesk reloads the web server configuration for you and the site serves HTTPS immediately. A panel or server restart is not required.
The per-domain certificate is what visitors see when they open your website over HTTPS; you install it on the domain’s SSL/TLS Certificates page and assign it in Hosting Settings. The server certificate is what protects the Plesk login URL (port 8443) and the mail services (IMAPS, POP3S, SMTPS); you install it under Tools & Settings > SSL/TLS Certificates. The two are independent, so a missing or expired server certificate does not affect your hosted sites and vice versa.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


