bg-tutorials

How to Install an SSL Certificate on VestaCP

This guide shows you how to install an SSL certificate on VestaCP, the Linux control panel. It covers two installations: securing a hosted website through the WEB tab, and replacing the certificate that protects the VestaCP admin panel itself on port 8083.

A note on VestaCP maintenance

Before you start: the original VestaCP project has been largely dormant for several years and has not received a meaningful update in a long time. If you are setting up a new server, consider HestiaCP, the actively maintained community fork that kept the same interface but added modern TLS, multi-PHP, and current security fixes. The steps below still apply to a legacy VestaCP install, and the same WEB tab workflow works on HestiaCP because the SSL panel is essentially unchanged.

Generate a CSR code on VestaCP

If you already generated your CSR and received the issued certificate from your CA, skip ahead to the installation section.

Every commercial SSL/TLS certificate starts with a CSR (Certificate Signing Request), a block of encoded text that contains your domain and contact details and is paired with a private key. You have two options:

  • Generate the CSR automatically with our CSR Generator. The CSR and its private key are created in your browser, so save the key somewhere safe: you will need it for the SSL Key field during installation.
  • Generate the CSR on the server itself by following our tutorial on how to generate a CSR on VestaCP.

Open the CSR with any text editor (for example Notepad), copy the entire block (including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines), and paste it into the order form. If you want to confirm the CSR before submitting it, run it through our CSR Decoder.

Install an SSL certificate on VestaCP (WEB tab)

After the Certificate Authority issues your certificate, you will receive a ZIP archive by email. Download and extract it on your computer. You will need three pieces of text to paste into VestaCP:

  • The primary server certificate issued for your domain (the .crt file).
  • The private key that was generated together with the CSR (the .key file).
  • The CA bundle that contains the intermediate (and root) certificates (the .ca-bundle file). This is needed for the chain to validate in every browser and on mobile.

Open each file in a plain text editor so you can copy its contents in the next steps. Make sure you include the BEGIN CERTIFICATE and END CERTIFICATE markers; missing them is a common reason VestaCP rejects the input.

Step 1: Log in to VestaCP and open the WEB tab

Sign in to the VestaCP dashboard at https://your-server-ip:8083 with your admin account, then click the WEB tab in the top navigation.

Step 2: Edit the domain you want to secure

Find the domain in the list, hover over it, and click Edit. This opens the Editing Domain page with all of that site’s settings.

Step 3: Enable SSL Support and leave Let’s Encrypt off

Tick the SSL Support checkbox. The SSL fields appear below it. Leave the Lets Encrypt Support option unchecked: if you enable it, VestaCP will overwrite your fields with a Let’s Encrypt certificate it issues itself and ignore what you paste in.

Step 4: Paste the certificate, key, and CA bundle

Fill in the three fields with the contents of the matching files:

  • SSL Certificate: paste the contents of your .crt file (the certificate issued for your domain).
  • SSL Key: paste the contents of the private .key file you saved when you generated the CSR.
  • SSL Certificate Authority / Intermediate: paste the contents of the .ca-bundle file. This field is optional in the form but you should always fill it in: without it, mobile browsers and many API clients will report an incomplete chain.

Step 5: Save

Scroll to the bottom of the page and click Save. VestaCP writes the certificate, key, and chain into the domain’s web configuration and reloads the web server. Your site is now reachable over HTTPS.

Optional: use Let’s Encrypt instead

If you do not need a paid certificate, VestaCP can issue and auto-renew a free Let’s Encrypt certificate for the same domain. On the Editing Domain page, tick SSL Support, then tick Lets Encrypt Support, and save. The panel runs an HTTP-01 validation against the domain and, if it succeeds, drops the issued certificate, key, and chain into the SSL fields for you. Renewals run automatically through cron. The domain must already resolve to this server in DNS and respond on port 80 for validation to pass.

Replace the SSL certificate on the VestaCP admin panel (port 8083)

The admin panel on port 8083 uses its own certificate, separate from any hosted website. By default it is a self-signed certificate stored at /usr/local/vesta/ssl/certificate.crt and /usr/local/vesta/ssl/certificate.key, which is why browsers warn when you visit it. To replace it with a trusted certificate (for example the one VestaCP already issued for your panel hostname through Let’s Encrypt), open an SSH session to the server as root and run:

cd /usr/local/vesta/ssl
mv certificate.crt certificate.crt.bak
mv certificate.key certificate.key.bak

ln -s /home/admin/conf/web/ssl.your-panel-hostname.crt /usr/local/vesta/ssl/certificate.crt
ln -s /home/admin/conf/web/ssl.your-panel-hostname.key /usr/local/vesta/ssl/certificate.key

service vesta restart

Replace your-panel-hostname with the hostname you actually browse to on port 8083 (for example panel.example.com). Using symbolic links rather than copying the files means that when VestaCP auto-renews the Let’s Encrypt certificate for that hostname, the panel picks up the new files on the next restart without you having to copy them again. If you prefer copies, swap the two ln -s lines for cp commands; remember that you will then have to copy the files again at each renewal.

If you are pasting a certificate from a different CA, place the certificate body in certificate.crt, the matching private key in certificate.key, and append the intermediate chain to the bottom of certificate.crt so the browser receives the full chain. Then run service vesta restart. After the restart, reload the panel in your browser and confirm the padlock.

Test the SSL installation

After saving, open your site over https:// and check the padlock. For a deeper check that also confirms the intermediate chain and protocol support, run the domain through our SSL Checker. If the report flags a missing intermediate, go back to the WEB tab, paste the CA bundle into the SSL Certificate Authority / Intermediate field, and save again.

Frequently Asked Questions

Is VestaCP still safe to use in 2026?

The original VestaCP project has been largely dormant for several years and has not shipped a regular security update in a long time. Existing installs still work, and the SSL workflow above still installs valid certificates, but for new servers we recommend HestiaCP, the actively maintained community fork. HestiaCP keeps the same interface and the same WEB / Edit / SSL Support flow, so the steps in this guide carry over almost unchanged.

Where does VestaCP store the certificate files?

For a hosted website, VestaCP keeps the per-domain certificate, private key, and CA bundle under /home/<user>/conf/web/ssl.<domain>.* (where <user> is the Linux account that owns the domain). For the admin panel itself, the certificate and key are /usr/local/vesta/ssl/certificate.crt and /usr/local/vesta/ssl/certificate.key.

Can VestaCP issue a free Let’s Encrypt certificate?

Yes. On the Editing Domain page, tick SSL Support, then tick Lets Encrypt Support, and save. VestaCP runs an HTTP-01 challenge against your domain, installs the issued certificate into the SSL fields, and schedules automatic renewal through cron. The domain has to resolve to the server in DNS and respond on port 80 for the challenge to pass.

Do I need to restart the web server after installing the certificate?

No. Clicking Save on the Editing Domain page tells VestaCP to write the new certificate to the domain config and reload Nginx and Apache automatically. You only restart the vesta service when you replace the certificate of the admin panel itself on port 8083.

Why does the SSL Checker say my certificate chain is incomplete?

The most common cause is leaving the SSL Certificate Authority / Intermediate field blank, or pasting the CA bundle without the BEGIN CERTIFICATE and END CERTIFICATE markers. Edit the domain again, paste the full .ca-bundle contents into that field, save, then re-run our SSL Checker.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.