How to create a free SSL certificate and import it to cPanel

Published at 06-02-2015 20:42 | Created by Luís Cruz | Category: Webmasters
Clique aqui para ver a versão Portuguesa

HTTPS uses the HTTP protocol on top of SSL/TLS protocol. The goal is to secure (encrypt) all data transmitted between the client (your browser) and the server.

SSL has been around for over two decades and there was a reason why many websites, blogs and even e-commerce sites haven't used it. The price for a SSL certificate was considerably high.

Now there are many SSL certificate providers that issue an SSL certificate from free to $1,679.00. You may be thinking why do you need a SSL certificate provider. The simple answer is that you don't, you can create your own certificate. This kind of certificates is called self-signed certificate. The disadvantage of using such a certificate is that it will never be considered as valid for the most common browsers. For instance, Google Chrome will display a message like

Chrome's Self-signed SSL certificate warning

This may be a good option for intranet applications since you typically trust your system's administrator and you still use an encrypted connection.

For most sites and applications this is not a good option. Nobody likes to say 'yes, I want to view that information' after an ugly message. So, to solve this issue, you need to create a SSL certificate issued by a known provider (see Chrome's Certificate Policy).

There are many companies, such as PositiveSSL (by Comodo), RapidSSL, GoDaddy and StartSSL, that can issue low cost and valid SSL certificates. There different types of certificates and you should also beware that some companies renew or revoke SSL certificates for a much higher price than the original cost. So, you need to check the differences and pick the one that matches your needs.

For this blog we've used the StartSSL Free (Class 1) SSL certificate, that is valid for individuals (you can't use this one for companies) as long as you don't use it to e-commerce or monetary transactions. Also, we needed to support both domain.tld and www.domain.tld and this certificate allows you to use one sub-domain and the greatest selling point is: its free! I strongly recommend you to take a look at the FAQ to guarantee that it matches your needs..

Issueing a certificate can be quite tricky if you're not used to these terms, so we've divided this guide into three parts

  1. Sign up at StartSSL and store the browser authority certificate
  2. Create private key and SSL certificate for your domain
  3. Import the certificate in a shared hosting, without a dedicated IP address, using cPanel


1. Sign up at StartSSL and store the browser authority certificate

The process to sign up at StartSSL is different from the sign up at an email or a Facebook account. Through this process you'll NOT be asked a password. This is because you will be authenticated through a certificate saved in your browser. The first step is to create this certificate and store it within your browser. I've done this with Google Chrome.

Here's what you need to do

  1. Access StartSSL's site and navigate to Authenticate or Sign up

    StartSSL homepage StartSSL Sign up and login page

    Important: It's likely that you'll see some errors and connection errors. This happened to me a few times and I had to wait a few moments until I could access and submit the sign up form.

  2. Fill the sign up form and submit it. As you submit the form, you will see a new page asking for a verification code (so they can guarantee that the email you've entered is, in fact, yours). Do not close this page. After a few minutes you'll receive an email with the validation code, that you should enter and click Continue.

    StartSSL sign up form StartSSL complete registration page

    Important: When I submitted the form, I saw a message telling me that my registry needed to be validated. After a few seconds this page was automatically closed. If this happens to you, wait for the email address that will contain the link to the confirmation page.

  3. Next you'll see a page to generate a private key. Note that this key IS NOT for the SSL certificate. It will be used for the authentication certificated so you can log in StartSSL's Control Panel. Click Continue and, at the next page, Install.

    StartSSL generate authorization certificate private key StartSSL install authorization certificate page

  4. If all goes well, you should see a page telling you the certificate was successfully installed. If you're using Google Chrome you'll also see a message below the address bar indicating the certificate was installed. This means the certificate was created and successfully installed in your browser and you can now access StartSSL's secure Control Panel.

    StartSSL authorization certificate installed successfully

  5. In order to access the Control Panel you must use this certificate. So, the best thing you can do is to back it up. If you lose this certificate you lose your account. You can take a look at the FAQ on how to backup the certificate. If you're using Chrome follow these steps: Access Settings » Show advanced settings.... Scroll to HTTPS/SSL and click Manage certificates.... Select StartSSL's certificate and click Export.... Follow the wizard's steps and be sure to export the private key and export to a file with PKCS n.º 12 format.

    Chrome settings - Manage SSL certificates Chrome settings - Export SSL certificate with private key Chrome settings - Export filetype with PKCS n.º12 format

    Store that file in a secure location. If you need to access the Control Panel with another browser or computer you'll need to import that file.


2. Create private key and SSL certificate for your domain

  1. StartSSL has to ensure that you own the domain to which you are creating the certificate. This is done by email, much like the creation of the authentication certificate. To validate that you own the domain, you need to access StartSSL Control Panel and click on tab Validations Wizard and select the option "Domain Name Validation". After clicking Continue you should enter the domain name.

    StartSSL Domain name verification page StartSSL enter domain name page

  2. The following page shows you a list of emails and you must select the email you want the validation code to be sent. Again, this process is done to guarantee that you own the domain. The email list is composed by postmaster@domain.tld, hostmaster@domain.tld e webmaster@domain.tld. At the bottom there will be one (or more) email address that belongs to the company where you've registered the domain. Select one email and click Continue.

    StartSSL - choose domain verification email

  3. You will receive an email with the verification code. Paste the code into the new page and click Continue. If all goes well you should see a message confirming the successful validation.

    StartSSL - complete domain verification StartSSL - Domain verification successful page

  4. After the domain is validated, we will now create the SSL Certificate. At this time you can create the Private Key through StartSSL's Control Panel or create it in your computer. Even though the FAQ states the keys are not stored in their servers, it's a better to create it locally. To create the private key in your computer, we will use OpenSSL that is installed by default in major Linux distributions. If you're using Windows, you'll need to download the binaries. If you don't want to create the private key locally, you can proceed to step 8.
  5. Assuming you already installed OpenSSL, you can now create the 2048 bits RSA key with the following command (from the command line)
    openssl genrsa -aes256 -out private-key-domain.key 2048

    You'll be asked for a password. Choose a complex one and don't forget it. This creates the encrypted private key.

    OpenSSL command line - generate private key

  6. Now we need to decode the private key in order to create the CSR (Certificate signing request). You should execute the following command, which will ask you for the password.
    openssl rsa -in private-key-domain.key -out decoded-private-key.key

    OpenSSL command line - decode private key

  7. Now it's time to create the CSR through
    openssl req -new -sha256 -key decoded-private-key.key -out domain.tld.csr

    Fill the options with valid data. The challenge password is not mandatory. If you choose to fill this field you should store the password that will be used to reinstall or revoke the certificate. Mind the differences between the certificate password (passphrase) and the challenge password.

    OpenSSL command line - create CSR file

  8. At this time we have the private key and the CSR. So, it's time to go back to StartSSL's Control Panel and create the SSL Certificate. Once you're there, click on the tab Certificates Wizard and select "Web Server SSL/TLS Certificate". In the following page, since we've created the private key locally, we can click Skip. If you choose not to create the key through OpenSSL, you should fill and submit the form.

    StartSSL - Choose certificate purpose StartSSL - generate private key for domain

  9. Open the CSR file (which we named domain.tld.csr) with a text editor and copy the file's content to the textarea within the page. Click Continue and you should see a page telling you the CSR was successfully submitted.

    StartSSL - Submit CSR file StartSSL - Certificate request receive page

  10. Now you should select the previous validated domain and set a sub-domain (I choose www).

    StartSSL - add domains for certificate StartSSL - Set subdomain for certificate

  11. This last page shows all the information so you can confirm that it's correct. If so, click Continue and you'll be shown another page with a textarea that contains the content of the SSL certificate. Copy that text as is to a file (I've called it ssl-certificate.txt). You should also save the ROOT e INTERMEDIATE files, below the textarea.

    StartSSL - Processing certificate page

    Important: It's possible that you get a message saying Additional Check Required!. If so, you'll need to wait for the email (I've waited ~30 minutes) to finish the process. In this case you should follow the email's instructions to save the SSL certificate and you should download CABUNDLE from FAQ.

  12. The SSL Certificate is now created. It's a good idea to save all these files in a secure location like TrueCrypt 7.1a. TrueCrypt was an open source project that is still considered secured. When version 7.2 was released they cancelled the development and suggested you should use Windows encryption system. If you choose to use TrueCrypt make sure you use version 7.1a. Take a look at this post for alternatives.


3. Import the certificate in a shared hosting, without a dedicated IP address, using cPanel

  1. Since cPanel & WHM 11.38 it is possible to install a SSL Certificate in a shared hosting. This means that you no longer need a dedicated IP address, which is good news if you pay the bills. In order to install the generated certificate you should access cPanel and scroll to Security and click on SSL/TLS Manager.

    cPanel settings- SSL/TLS manager

  2. You should now select Manage SSL Sites from Install and Manage SSL for your site (HTTPS). This screenshot was taken from version 11.46.2

    cPanel settings - Manage SSL Sites

  3. At this page, select the domain to which you generated the SSL Certificate. Paste the contents from the last file generated from StartSSL Control Panel (which I named ssl-certificate.txt) in the textarea called Certificate: (CRT). Below Private Key: (KEY) paste the contents from decoded private key (step 2.6, which I named decoded-private-key.key). Now you should paste, below Certificate Authority Bundle: (CABUNDLE), the contents of the ca.pem file or IF you see a warning message with "Microsoft® Internet Explorer™ on Windows XP™ is the most widely used web browser that does not support SNI." just ignore it. However, make sure your version of cPanel is equal or greater than 11.38.

    cPanel settings - Fill SSL certificate information

  4. Now click on Install Certificate and you should see a success message. Kudos!, as of now your site is accessible via HTTPS.


When you use a HTTPS connection, you need to make sure that all contents are transferred through HTTPS. This is to say that all CSS, Javascript, images and fonts need to be downloaded as HTTPS. If you have some data that is transferred through HTTP in a HTTPS connection the browser will display a message to the end user stating that you are using a secure connection but not all data is secure.

The simplest way to address this issue is not to set a protocol. Instead of http:// or https:// just use (//. Automatically, those addresses will use the protocol used in the main document. This is particularly useful if you have an application that has to work with both HTTP and HTTPS. Examples

<img src="//domain.tld/image-slug.png" />
<link href="//,400,700" rel="stylesheet" type="text/css">

If you want to secure all requests to your site, even if the user uses HTTP, you can add a rule to your .htaccess with the following code:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteCond %{HTTP_HOST} ^(dominio\.pt)
    RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI}%{QUERY_STRING} [L,R]


Great! Now you have made a Web a safer place and you won a green lock in Chrome's address bar. I hope this was useful to you. If you have any questions, please leave them in the comments.