In this guide, you will learn how to install an SSL certificate on WHM (Web Host Manager), the server-level control panel that sits above the individual cPanel accounts. The steps are the same whether you log in as the root administrator or with reseller privileges. The final section covers AutoSSL and the server hostname certificate.
WHM is the server admin panel; cPanel is the per-account panel. A certificate you install in WHM with Install an SSL Certificate on a Domain covers one domain or subdomain hosted on the server. If you only have access to a single cPanel account, follow the cPanel installation guide instead.
We also recorded a video that walks you through the entire process. You can watch the video, read the instructions, or do both. You can watch the video below.
Generate a CSR code in WHM
If you are buying a certificate from a Certificate Authority, you first need a CSR (Certificate Signing Request). A CSR is a plain text block that holds details about your domain and organization. The CA uses it to issue the certificate. Generating the CSR also creates the matching private key, which you will need during installation. You have two options:
- Use our CSR Generator to create the CSR and key automatically.
- Follow our step-by-step tutorial on how to generate a CSR in WHM.
Submit the CSR to the Certificate Authority during your order. After the CA validates it and sends you the certificate files, continue with the installation below. (If you would rather use a free, auto-renewing certificate and skip the CSR entirely, jump to AutoSSL.)
Install an SSL certificate on WHM
After validation, the Certificate Authority emails you a ZIP archive. Extract it. You should have:
- your domain certificate, usually a .crt file;
- the intermediate certificates, usually a .ca-bundle file (the CA bundle);
- the private key you generated with the CSR (keep this one private).
Open each file in a plain text editor (Notepad on Windows, TextEdit in plain text mode on macOS) so you can copy the full contents, including the BEGIN and END lines.
Step 1: Open the installation screen
Log in to your WHM dashboard. In the search box at the top left, type SSL, then under the SSL/TLS section click Install an SSL Certificate on a Domain.
Step 2: Enter the domain
In the Domain field, type the exact domain or subdomain you want to secure (for example www.yourdomain.com). Leave the IP Address (non-user domains only) field blank unless you are securing a domain that is not tied to a cPanel account.
Step 3: Paste the certificate
In the Certificate box, paste the full contents of your domain certificate file (the one the CA emailed you). It begins and ends with these lines:
-----BEGIN CERTIFICATE-----
... certificate text ...
-----END CERTIFICATE-----
Step 4: Add the private key
In the Private Key box, paste the key you created together with the CSR. If you generated the CSR inside this same WHM server, WHM can fill the key in for you: click Autofill by Domain. If you have to paste it manually, open the key file and copy everything between the BEGIN and END lines. Depending on how the key was generated, the wrapper lines look like one of these:
-----BEGIN PRIVATE KEY-----
... key text ...
-----END PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----
... key text ...
-----END RSA PRIVATE KEY-----
Each wrapper line uses five hyphens, with no spaces. Keep the private key confidential: it is the secret half of your certificate and only you should ever have it.
Step 5: Add the CA bundle
In the Certificate Authority Bundle (optional) box, paste the contents of your .ca-bundle file. This holds the intermediate certificates that let browsers link your certificate back to a trusted root. If the bundle contains more than one certificate block, keep them in the order the CA provided. WHM can often fetch the correct bundle on its own, but pasting it yourself avoids any chain issues.
Step 6: Install
Once all the fields are filled, click Install. WHM validates the certificate, key, and bundle, then applies the certificate to the web server and to the mail and FTP services for that domain. A confirmation message appears when it finishes. If you see an error, it usually means the certificate and key do not match or the CA bundle is incomplete: recheck what you pasted and try again.
Test your SSL installation
After installation, confirm the certificate is live and the chain is complete. Open your site in a browser with https:// and check for the padlock, then run a deeper scan with our SSL Checker for an instant status report. If you have shell access to the server, you can also read the served certificate directly:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates
This prints the issuer, the domain it was issued to, and the validity dates. A mismatch in the domain, or a missing intermediate, points to a step worth revisiting.
AutoSSL and the server hostname certificate
WHM has two more SSL features that the manual installation above does not cover. Both are worth knowing.
AutoSSL (free, auto-renewing certificates)
AutoSSL issues and renews free domain-validated certificates for the accounts on your server. Open SSL/TLS > Manage AutoSSL, pick a provider on the Providers tab (the cPanel provider, powered by Sectigo, or Let’s Encrypt), and enable it. AutoSSL then covers domains automatically and renews them before they expire, so it is the simplest option when you do not need a paid certificate with organization or extended validation. A certificate you install manually with Install an SSL Certificate on a Domain takes precedence over AutoSSL for that domain.
The server hostname and service certificate
The certificate that secures WHM itself, plus services such as Exim (mail), Dovecot, FTP, and cPanel, is the service certificate, and it is separate from any single domain. To review or replace it, open SSL/TLS > Manage Service SSL Certificates. For the server hostname certificate to issue cleanly through AutoSSL, the hostname must be a fully qualified domain name that resolves to the server’s main public IP address.
Frequently asked questions
WHM is the server administration panel, used by root or reseller accounts, and it can install a certificate on any domain hosted on the server through Install an SSL Certificate on a Domain. cPanel is the per-account panel, where a single site owner manages only their own domains. The certificate, key, and CA bundle you paste are the same in both; the difference is the level of access.
In WHM, go to SSL/TLS > Install an SSL Certificate on a Domain. The screen has three boxes: Certificate for your domain certificate, Private Key for the key you generated with the CSR, and Certificate Authority Bundle (optional) for the intermediate certificates. Paste each file’s full contents, including the BEGIN and END lines, then click Install.
No. AutoSSL issues free domain-validated certificates automatically and handles the CSR and key for you. You only need to generate a CSR when you are buying a certificate from a Certificate Authority and installing it manually.
The hostname and services such as mail and FTP use the service certificate, not a per-domain one. Manage it under SSL/TLS > Manage Service SSL Certificates. For AutoSSL to issue a hostname certificate, the server hostname must be a fully qualified domain name that resolves to the server’s main public IP address.
This means the private key you pasted was not the one created with the CSR for this certificate. Use the key generated alongside that exact CSR. If you generated the CSR in this WHM server, click Autofill by Domain to pull the correct key. If the key is lost, reissue the certificate with a fresh CSR and key from your Certificate Authority.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


