{"id":924,"date":"2021-07-23T12:41:22","date_gmt":"2021-07-23T12:41:22","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/manage-service-ssl-certificates\/"},"modified":"2021-07-23T12:41:22","modified_gmt":"2021-07-23T12:41:22","slug":"manage-service-ssl-certificates","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/manage-service-ssl-certificates\/","title":{"rendered":"Manage Service SSL Certificates"},"content":{"rendered":"<\/p>\n
\n
\n
\n

Valid for versions 92 through the latest version<\/em><\/p>\n<\/div>\n

\n

Version:<\/h4>\n

82<\/h4>\n

84<\/h4>\n

90<\/h4>\n

92<\/h4>\n<\/div><\/div>\n
\n

Overview<\/h2>\n

This interface allows you to manage certificates for your server\u2019s services. For example, you can manage certificates for the following services:<\/p>\n

    \n
  • \n

    Exim (SMTP).<\/p>\n<\/li>\n

  • \n

    POP3 and IMAP.<\/p>\n<\/li>\n

  • \n

    The cPanel services (cPanel & WHM and Webmail).<\/p>\n<\/li>\n

  • \n

    Your FTP server.<\/p>\n<\/li>\n

  • \n

    iOS Mail Push Notifications (APNs).<\/p>\n<\/li>\n<\/ul>\n

    SSL certificates allow your web server to identify itself to the computers that access it.<\/p>\n

    You can use any of the following types of certificates to secure your server\u2019s services:<\/p>\n

      \n
    • \n

      A free cPanel-signed hostname certificate.<\/p>\n<\/li>\n

    • \n

      A certificate that you obtained from a certificate authority (CA).<\/p>\n<\/li>\n

    • \n

      A self-signed certificate.<\/p>\n

      \n
      Warning:<\/div>\n
      \n We recommend that you do not use<\/strong> self-signed certificates. They provide less security than certificates from a CA. Any server could claim to be your server with a self-signed certificate because they do not use a third-party verification system. To remedy this, use certificates from a CA, which verifies that users securely connect to your server.\n <\/div>\n<\/div>\n<\/li>\n
    • \n

      PKCS #12 (iOS APNs only<\/strong>).<\/p>\n<\/li>\n<\/ul>\n

      For more information about how to generate or purchase a certificate, read our Generate an SSL Certificate and Signing Request documentation.<\/p>\n

      Free cPanel-signed certificate<\/h3>\n
      \n
      Note:<\/div>\n
      \n cPanel users may see a There is a problem with this website's security certificate.<\/code> message when they log in. To resolve this issue, replace the self-signed certificate with a certificate that you purchase from WHM\u2019s Purchase and Install an SSL Certificate<\/em> interface (WHM >> Home >> SSL\/TLS >> Purchase and Install an SSL Certificate<\/em>).\n <\/div>\n<\/div>\n

      cPanel, L.L.C. offers valid cPanel & WHM license holders a free signed certificate for the services on your server\u2019s hostname. This offer replaces the certificates for these services that meet any of the following conditions:<\/p>\n

        \n
      • \n

        Maintains a weak signature algorithm.<\/p>\n<\/li>\n

      • \n

        Revoked.<\/p>\n<\/li>\n

      • \n

        Self-signed.<\/p>\n<\/li>\n

      • \n

        Invalid (For example, your server\u2019s hostname must be valid and resolve in DNS).<\/p>\n<\/li>\n

      • \n

        Will expire soon, based on the following criteria:<\/p>\n

          \n
        • \n

          cPanel-provided certificates that expire in less than 25 days.<\/p>\n<\/li>\n

        • \n

          Certificates issued by any other provider that expire in less than 3 days.<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

          When the existing certificate meets any of these conditions, the server will order a replacement certificate when the \/usr\/local\/cpanel\/scripts\/upcp<\/code> maintenance runs. The system will download and install that certificate when available. If the existing certificate expires before the replacement certificate is available, the system will install a self-signed certificate, and then replace it with the ordered certificate when available.<\/p>\n

          \n
          Note:<\/div>\n
          \n If you create the \/var\/cpanel\/ssl\/disable_auto_hostname_certificate<\/code> touch file, the system will no longer order, download, and install a free cPanel-signed hostname certificate.\n <\/div>\n<\/div>\n
          \n
          Important:<\/div>\n
          \n
            \n
          • \n

            Your server must<\/strong> possess a valid hostname that points to the server\u2019s main IP address.<\/p>\n<\/li>\n

          • \n

            Your server\u2019s hostname must<\/strong> resolve in DNS.<\/p>\n<\/li>\n

          • \n

            Your server must<\/strong> possess a valid cPanel & WHM license.<\/p>\n<\/li>\n

          • \n

            The system will replace certificates issued by any other provider with cPanel-provided certificates. For example, the Dovecot service\u2019s custom certificate expires in less than three days. The system will install a cPanel-provided hostname certificate to replace the old one.<\/p>\n

              \n
            • If you create the \/var\/cpanel\/ssl\/disable_service_certificate_management<\/code> touch file, the system disables all automatic replacement of expired service certificates. The system also disables notifications about expired or expiring service certificates.<\/li>\n<\/ul>\n<\/li>\n
            • \n

              The system will replace certificates issued by any other provider with cPanel-provided certificates.<\/p>\n<\/li>\n

            • \n

              Certificate Authority Authentication (CAA) records in the domain\u2019s zone file restrict which Certificate Authorities (CA) may issue certificates for that domain. If no CAA records exist for a domain, all CAs can issue certificates for that domain. If conflicting CAA records already exist, remove the existing CAA records or add one for the desired CA.<\/p>\n

                \n
              • \n

                For example, a CAA record for Sectigo would resemble the following example, where example.com<\/code> represents the domain name: example.com. 86400 IN CAA 0 issue \"sectigoca.com\"<\/code><\/p>\n<\/li>\n

              • \n

                You can manage CAA records through WHM\u2019s DNS Zone Manager<\/em> interface (WHM >> Home >> DNS Functions >> DNS Zone Manager<\/em>) or through cPanel\u2019s Zone Editor<\/em> interface (cPanel >> Home >> Domains >> Zone Editor<\/em>).<\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

                For more information about a CA\u2019s requirements, read their documentation.<\/p>\n<\/p><\/div>\n<\/div>\n

                Service SSL Certificates<\/h2>\n

                The interface displays the following table, which lists the services on your server and the certificates for each service:<\/p>\n

                Service<\/h3>\n

                The service that the certificate secures.<\/p>\n

                Certificate Domains<\/h3>\n

                The domain of the service that the certificate secures.<\/p>\n

                Certificate Expiration<\/h3>\n

                The date on which the certificate expires.<\/p>\n

                \n
                Note:<\/div>\n
                \n
                  \n
                • \n

                  Before the certificate expires, WHM sends a warning to the system administrator\u2019s email address to reset or replace the certificates. A warning will also appear in WHM\u2019s Home interface.<\/p>\n<\/li>\n

                • \n

                  When a certificate expires, your server installs a self-signed certificate. If your server meets the requirements to obtain a free cPanel-signed certificate, the server automatically orders one the next time that the upcp<\/code> maintenance script runs. When the signed certificate becomes available, the server downloads and installs it.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

                  Certificate Key<\/h3>\n

                  The type of key that the system used to generate the certificate.<\/p>\n

                  Actions<\/h3>\n

                  Reset a Certificate<\/h4>\n

                  This option uninstalls the current certificate for the service and replaces it with a new self-signed certificate.<\/p>\n

                  To reset a certificate, perform the following steps:<\/p>\n

                    \n
                  1. \n

                    Click Reset Certificate<\/em> next to the service for which to reset the certificate.<\/p>\n<\/li>\n

                  2. \n

                    Click Proceed<\/em> to generate and automatically install the certificate.<\/p>\n<\/li>\n<\/ol>\n

                    \n
                    Warning:<\/div>\n
                    \n
                      \n
                    • \n

                      This option automatically erases an existing certificate from the service. If you replace a certificate from a CA with a self-signed certificate, users may see warnings because their client applications do not<\/strong> trust self-signed certificates.<\/p>\n<\/li>\n

                    • \n

                      If your server meets the requirements to obtain a free cPanel-signed certificate, the server automatically orders one the next time that the upcp maintenance script runs. When the signed certificate becomes available, the server downloads and installs it.<\/p>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

                      Certificate Details<\/h4>\n

                      This option displays details about the installed certificate for the service:<\/p>\n

                        \n
                      • \n

                        Domains<\/em> \u2014 The domain of the service that the certificate secures.<\/p>\n<\/li>\n

                      • \n

                        Issuer<\/em> \u2014 Information about the CA that issued the certificate.<\/p>\n

                        \n
                        Note:<\/div>\n
                        \n This column displays a warning message for self-signed certificates.\n <\/div>\n<\/div>\n<\/li>\n
                      • \n

                        Key<\/em> \u2014 The type of key that the system used to generate the certificate.<\/p>\n<\/li>\n

                      • \n

                        Expiration<\/em> \u2014 The date on which the certificate expires.<\/p>\n

                        \n
                        Note:<\/div>\n
                        \n
                          \n
                        • Before the certificate expires, WHM sends a warning to the system administrator\u2019s email address to reset or replace the certificates. A warning also appears in WHM\u2019s Home interface.<\/li>\n
                        • If your server meets the requirements to obtain a free cPanel-signed certificate, the server automatically orders one the next time that the upcp<\/code> maintenance script runs. When the signed certificate becomes available, the server downloads and installs it.
                          \n<\/li>\n<\/ul><\/div>\n<\/div>\n<\/li>\n<\/ul>\n

                          Apply Certificate to Another Service<\/h4>\n

                          This option allows you to apply a certificate to multiple services. This is useful, for example, when you wish to apply a signed certificate for your server\u2019s main domain to other services on your server.<\/p>\n

                          To apply a certificate to another service, perform the following steps:<\/p>\n

                            \n
                          1. \n

                            Click the appropriate Apply Certificate to Another Service<\/em> link.<\/p>\n<\/li>\n

                          2. \n

                            The interface will scroll down to the Install a New Certificate<\/em> section. Select the checkboxes for the services for which to apply this certificate.<\/p>\n

                            \n
                            Note:<\/div>\n
                            \n WHM automatically enters the details of the Install a New Certificate<\/em> text boxes with the certificate\u2019s information.\n <\/div>\n<\/div>\n<\/li>\n
                          3. \n

                            Click Install<\/em> to install the certificate to the selected services, or click Cancel<\/em> to cancel the operation.<\/p>\n

                            \n
                            Warning:<\/div>\n
                            \n If you replace a certificate from a CA with a self-signed one, users may see warnings because their client applications do not<\/strong> trust self-signed certificates.\n <\/div>\n<\/div>\n<\/li>\n<\/ol>\n

                            Install a New Certificate<\/h2>\n

                            This form allows you to install a new certificate that you can use to secure the services on your server.<\/p>\n

                            To install a new certificate on your server, perform the following steps:<\/p>\n

                              \n
                            1. \n

                              To use a certificate that already exists on your server, click Browse Certificates<\/em>. Select the services that you wish for the certificate to secure.<\/p>\n

                                \n
                              1. \n

                                Click Browse Account<\/em> and select the username from the menu, or click Browse Apache<\/em>.<\/p>\n<\/li>\n

                              2. \n

                                Select the certificate that you wish to use from the menu.<\/p>\n<\/li>\n

                              3. \n

                                Click Use Certificate<\/em> to use the certificate, or click Cancel<\/em> to cancel the operation.<\/p>\n

                                \n
                                Note:<\/div>\n
                                \n WHM automatically enters the certificate\u2019s information into the Install a New Certificate<\/em> form.\n <\/div>\n<\/div>\n<\/li>\n<\/ol>\n<\/li>\n
                              4. \n

                                Paste the contents of the Certificate file (.crt<\/code>) into the Certificate<\/em> text box.<\/p>\n

                                \n
                                Note:<\/div>\n
                                \n Click Autofill by certificate<\/em> to search for the appropriate private key and CA bundle from cPanel\u2019s public CA bundle repository.\n <\/div>\n<\/div>\n<\/li>\n
                              5. \n

                                Paste the contents of the Private Key file (.key<\/code>) into the Private Key<\/em> text box.<\/p>\n<\/li>\n

                              6. \n

                                If you have a CA bundle, paste the contents of that bundle (.cab<\/code>) into the Certificate Authority Bundle<\/em> text box.<\/p>\n<\/li>\n

                              7. \n

                                Click Install<\/em> to install the certificate, or click Cancel<\/em> to cancel the operation.<\/p>\n<\/li>\n

                              8. \n

                                If you selected the cpsrvd<\/code> daemon, and the certificate has installed correctly, the interface will prompt you to restart the cpsrvd<\/code> daemon. Click Restart cpsrvd<\/em> to restart the cPanel service daemon.<\/p>\n<\/li>\n<\/ol>\n

                                \n
                                Important:<\/div>\n
                                \n You must<\/strong> restart the cpsrvd<\/code> daemon each time that you install a new SSL certificate for a service.\n <\/div>\n<\/div>\n

                                iOS Mail push notifications<\/h2>\n

                                Use this interface to manage the certificate and key that your server uses to communicate with APNs. For more information about how to install this certificate, read our How to Set Up iOS Push Notifications documentation.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

                                Valid for versions 92 through the latest version Version: 82 84 90 92 Overview This interface allows you to manage certificates for your server\u2019s services. For example, you can manage certificates for the following services: Exim (SMTP). POP3 and IMAP. The cPanel services (cPanel & WHM and Webmail). Your FTP server. iOS Mail Push Notifications …<\/p>\n","protected":false},"author":1,"featured_media":925,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/924"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=924"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/924\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/925"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=924"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=924"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=924"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}