This guide shows you how to install an SSL certificate on Sentora, the open-source web hosting control panel forked from ZPanel. It covers generating the CSR, pasting the certificate, key, and CA bundle into Sentora’s Apache Admin module, and hardening the resulting virtual host with modern TLS settings.
A note on Sentora maintenance status
Before you start: official Sentora development has slowed sharply over the last few years. The most recent stable release on the sentora/sentora-core repository is v2.0.2 (May 2024, PHP 7.4); the 2.1.x branch targeting PHP 8.x is still marked as development-only and not for production use. A community fork, Sentora-NG, exists but is small. If you are setting up a new server, the actively maintained open-source successor most administrators move to is HestiaCP, a fork of VestaCP with a similar interface, current PHP and TLS support, and built-in Let’s Encrypt. For commercial support, Plesk is the usual choice. The steps below still apply to an existing Sentora install, and the SSL workflow has not changed.
Generate a CSR code on Sentora
If you already generated your CSR and received the issued certificate from your CA, skip ahead to the installation section.
Every commercial SSL/TLS certificate starts with a CSR (Certificate Signing Request), a block of encoded text that contains your domain and contact details and is paired with a private key. You have two options:
- Generate the CSR automatically with our CSR Generator. The CSR and its private key are produced in your browser, so save the key somewhere safe: you will paste it on the server as yourdomain.key during installation.
- Generate the CSR on the server itself by following our tutorial on how to generate a CSR on Sentora.
Open the CSR with any text editor (for example Notepad), copy the entire block (including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines), and paste it into the order form. After validation, the CA emails the issued certificate files to you.
Install an SSL certificate on Sentora
Sentora does not have a built-in form for pasting a third-party SSL certificate the way cPanel or VestaCP do. The install is a two-part process: copy the certificate files onto the server, then attach them to Apache through Sentora’s Apache Admin module so the panel rewrites the virtual host on the next sync.
Step 1: Prepare your SSL files
After the Certificate Authority issues your certificate, download the ZIP archive and extract it. You should end up with three files:
- The primary server certificate for your domain (the .crt file).
- The private key generated together with the CSR (the .key file).
- The CA bundle that contains the intermediate certificates (the .ca-bundle or .crt file from the CA).
Some CAs ship a single combined chain file; others send the root and intermediate as separate files. If they are separate, open them in a plain text editor and paste the intermediate first, then the root, into one file saved as yourdomain.ca-bundle.crt. Do not leave blank lines between certificates, and make sure every block keeps its BEGIN CERTIFICATE and END CERTIFICATE markers.
Step 2: Copy the files to the server
Open an SSH session to the server and become root, either by prefixing each command with sudo or by opening a root shell with sudo -i. Create an SSL directory under Apache and copy the three files into it (use scp, sftp, or your editor of choice to upload them first):
sudo mkdir -p /etc/apache2/ssl
sudo cp yourdomain.crt /etc/apache2/ssl/yourdomain.crt
sudo cp yourdomain.key /etc/apache2/ssl/yourdomain.key
sudo cp yourdomain.ca-bundle.crt /etc/apache2/ssl/yourdomain.ca-bundle.crt
sudo chmod 600 /etc/apache2/ssl/yourdomain.key
Tightening the key file to mode 600 stops other local users from reading the private key.
Step 3: Enable the Apache SSL module
If the SSL module is not already active, enable it and restart Apache:
sudo a2enmod ssl
sudo service apache2 restart
The a2enmod ssl command creates the mods-enabled/ssl.conf and mods-enabled/ssl.load symlinks for you, so you do not need to create them manually. You can confirm the module is loaded with apache2ctl -M | grep ssl.
Step 4: Add the SSL virtual host through Apache Admin
Log into Sentora as the admin user, then navigate to Admin > Module Admin > Apache Admin. Paste the following into the Global Sentora entry box, adjusting the file paths and host names to match your install:
##################################################
# Apache vhost configuration for Sentora
# Adds an HTTPS virtual host that uses your cert
##################################################
<VirtualHost *:443>
ServerAdmin zadmin@localhost
DocumentRoot "/etc/sentora/panel/"
ServerName panel.example.com
ServerAlias sentora.example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/yourdomain.crt
SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.key
SSLCertificateChainFile /etc/apache2/ssl/yourdomain.ca-bundle.crt
# Modern TLS only. SSLv2, SSLv3, TLS 1.0 and TLS 1.1
# are deprecated and unsafe (POODLE, BEAST).
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!RC4
SSLCompression off
</VirtualHost>
Replace panel.example.com and the file names with your actual host name and certificate paths. Save the entry. Sentora rewrites the Apache config the next time the daemon syncs (and on save), so do not edit /etc/apache2/sites-available directly: the panel will overwrite it.
About SSLProtocol SSLv3: older Sentora tutorials, including earlier versions of this one, paste SSLProtocol SSLv3 into the Apache Admin box. Do not use that value. SSL 3.0 has been broken since the POODLE disclosure in 2014 (CVE-2014-3566) and is disabled in every modern browser; an Apache vhost that forces SSLv3 will refuse modern clients and would be insecure even if they accepted it. The block above pins Apache to TLS 1.2 and 1.3 only, which is the current safe baseline.
Step 5: Restart Apache
After saving the Apache Admin entry, test the configuration and reload the service:
sudo apache2ctl configtest
sudo service apache2 restart
If configtest reports Syntax OK, the new vhost is live. Open the panel over https://panel.example.com and check the padlock.
Optional: use Let’s Encrypt through the Sencrypt module
If you do not need a paid certificate, the community Sencrypt module (maintained at TGates71/sencrypt by one of the original Sentora developers) issues and auto-renews free Let’s Encrypt certificates for the panel and for hosted domains. It is bundled with some Sentora installs and available as a separate add-on for others; once installed, go to Admin > Module Admin > Sencrypt SSL (or Sencrypt under Domain Management for a hosted site), pick the domain, and run the issue action. Sencrypt performs an HTTP-01 challenge against port 80 and drops the resulting certificate, key, and chain into place automatically. The domain must already resolve to this server in DNS for the challenge to succeed.
Test the SSL installation
After restarting Apache, open your site over https:// and check the padlock. For a deeper check that confirms the intermediate chain and protocol support, run the host name through our SSL Checker. If the report flags a missing intermediate, re-open Apache Admin, confirm the path in SSLCertificateChainFile points at the CA bundle you copied in Step 2, save, and restart Apache again.
Frequently Asked Questions
Official Sentora development has slowed sharply over the last few years. The last stable release on sentora/sentora-core is v2.0.2 from May 2024 (PHP 7.4), and the 2.1.x branch targeting PHP 8.x is still flagged as development-only with no LTS or active security release stream. A community fork, Sentora-NG, exists but is small. Most administrators looking for an actively maintained open-source successor move to HestiaCP; Plesk is the usual choice for commercial support. Existing Sentora installs still work and the SSL workflow above still installs valid certificates.
Sentora does not impose a fixed location for third-party certificates. The convention used in this guide is /etc/apache2/ssl/yourdomain.crt, yourdomain.key, and yourdomain.ca-bundle.crt, referenced from the vhost you add through Apache Admin. Certificates issued by the community Sencrypt Let’s Encrypt module live under the Sencrypt module’s own data directory and are wired into Apache automatically.
SSL 3.0 was broken by the POODLE attack in 2014 (CVE-2014-3566) and removed from every major browser years ago. Setting SSLProtocol SSLv3 forces Apache to negotiate only that protocol, so modern clients fail to connect and any client that did connect would be exposed. Use SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 to allow TLS 1.2 and 1.3 only, which is the current safe baseline.
No. sudo a2enmod ssl creates both the ssl.conf and ssl.load symlinks under /etc/apache2/mods-enabled/ for you. Older Sentora tutorials list separate ln -s commands, but they duplicate what a2enmod already did. Run apache2ctl -M | grep ssl to confirm the module loaded.
You can, but the change will not survive. Sentora regenerates the Apache config from its own templates on each sync and will overwrite anything you put into /etc/apache2/sites-available by hand. Use the Apache Admin module’s Global Sentora entry for global directives, or the per-domain entry for a single site, so Sentora keeps your additions when it rewrites the config.
The most common cause is a missing or wrong SSLCertificateChainFile path in the Apache Admin entry. Confirm that the path points to the CA bundle file you copied in Step 2 and that the bundle contains every intermediate certificate between your domain certificate and the root, each block bounded by BEGIN CERTIFICATE and END CERTIFICATE markers. Save the Apache Admin entry, restart Apache, then re-run our SSL Checker.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


