SSL Installation: How to Install an SSL Certificate?
SSL installation has two phases — Validation and Deployment — completed in six steps. You prove domain ownership through email, DNS TXT record, or HTTP file upload; then install the issued certificate on your server. This hub article covers all three major environments — cPanel, Plesk, and Microsoft IIS — and links to dedicated step-by-step guides for each.
💼 If you issue SSL certificates for client websites
Domain Name API's reseller program lets you manage bulk orders, automate renewals via API, and integrate directly with WHMCS.
SSL Installation at a Glance: 6 Steps
- Choose a validation method
email (admin@), DNS TXT record, or HTTP file upload. Only one is needed. - Generate a CSR on your server
a Private Key is created automatically at the same time. Keep it safe. - Submit the CSR
provide the code during SSL activation in your Domain Name API account. - Complete domain validation
confirm email link, add DNS TXT record, or upload the HTTP validation file. - Install the certificate
follow the guide for your control panel: cPanel, Plesk, or IIS. - Verify HTTPS
check the padlock in your browser and confirm the HTTP-to-HTTPS redirect is active.
What You Need Before You Start
| Requirement | Details |
|---|---|
| Domain name | The exact domain the certificate covers. Use *.example.com for Wildcard SSL. |
| CSR code | Generated on the hosting server. Contains domain name, org details, and public key. |
| Private Key (auto-created) | Created alongside the CSR. Required during installation — do not delete it. |
| Validation access | One of: an accessible admin inbox, DNS management panel, or web server file access. |
| Control panel | cPanel, Plesk, or IIS — determines how you generate the CSR and install the cert. |
| CA Bundle | Provided by the certificate authority alongside the certificate. Required for chain trust. |
Step-by-Step: SSL Installation
Step 1 — Choose Your Domain Validation Method
DV SSL certificates require proof that you control the domain. Certificate authorities support three methods. Only one is required:
| Method | How It Works | Best For |
|---|---|---|
| Email Validation | An approval link is sent to admin@ or another standard address on your domain. | When you can create an email inbox on the domain. |
| DNS TXT Record | A unique TXT value is added to your domain's DNS zone and checked automatically. | When no mailbox is available, or you need to automate issuance. |
| HTTP File Validation | A small validation file is uploaded to a specific path on your web server. | When you have direct file access to the web server root. |
Standard email addresses accepted for DV SSL validation:
- admin@yourdomain.com
- administrator@yourdomain.com
- webmaster@yourdomain.com
- hostmaster@yourdomain.com
- postmaster@yourdomain.com
⚠️ If you choose email validation, at least one of these addresses must exist and be accessible before activation. If the email doesn't arrive, check your spam folder before contacting support.
Step 2 — Generate a CSR
A CSR (Certificate Signing Request) is an encrypted block containing your domain name, organization details, and your server's public key. When you generate a CSR, your server simultaneously creates a Private Key.
⚠️ Your server creates a Private Key file automatically when you generate the CSR. This file is required during installation. Do not delete the CSR record or Private Key until the full installation is confirmed working.
| Control Panel | How to Generate the CSR |
|---|---|
| cPanel | Security > SSL/TLS > Generate an SSL Certificate and Signing Request |
| Plesk | SSL/TLS Certificates > Add SSL/TLS Certificate — fill in the fields and click Request |
| Microsoft IIS | IIS Manager > Server Certificates > Create Certificate Request wizardFull guide: https://www.domainnameapi.com/knowledge-base/how-to-generate-csr-code-using-iis |
To decode and verify your CSR before submitting, use a standard CSR decoder tool.
Step 3 — Submit the CSR
Submit your CSR code during SSL activation through your Domain Name API account. The certificate authority uses it to verify your domain and generate your certificate. Reseller accounts can manage all activations from the reseller panel at https://www.domainnameapi.com/ssl-reseller.
💼 If you're operating as a reseller
manage activations and raise support requests through your Domain Name API reseller panel. This ensures priority handling and a full audit trail.
Step 4 — Complete Domain Validation
The action required depends on the method you chose:
- Email: Click the approval link sent to your admin address. The link is typically valid for 24–72 hours.
- DNS TXT: Add the TXT record value provided by the CA to your DNS zone. Propagation takes 5–30 minutes; validation is then checked automatically.
- HTTP File: Upload the CA-provided file to the specified path — e.g., example.com/.well-known/pki-validation/filename.txt
ℹ️ DNS and HTTP validation are checked automatically once the record or file is in place. No email confirmation step is required.
Step 5 — Install the Certificate
Once validated, the certificate authority issues your certificate — typically within minutes for DV SSL. Install it using the guide for your environment:
| Platform | Topic | Full Guide URL |
|---|---|---|
| Plesk | SSL Certificate Installation | https://www.domainnameapi.com/knowledge-base/plesk-panel-ssl-installation |
| cPanel | SSL Certificate Installation | https://www.domainnameapi.com/knowledge-base/cpanel-ssl-installation |
| Microsoft IIS | CSR Code Generation | https://www.domainnameapi.com/knowledge-base/how-to-generate-csr-code-using-iis |
| Microsoft IIS | SSL Certificate Installation | https://www.domainnameapi.com/knowledge-base/how-to-install-ssl-certificate-on-iis |
ℹ️ Always include the CA Bundle (intermediate certificate chain) during installation. A missing CA Bundle is the leading cause of browser 'certificate chain' errors after deployment.
Step 6 — Verify HTTPS
Open your website in a browser and check the padlock in the address bar. Confirm the HTTP-to-HTTPS redirect is active. Use any standard SSL checker tool to verify the certificate chain, expiry date, and configuration.
CSR and Private Key: What Gets Created and Why It Matters
CSR generation is a paired process. Your server creates two items simultaneously:
| Item | Role |
|---|---|
| CSR (Certificate Signing Request) | Sent to the certificate authority. Contains domain, organization, and public key. Safe to share. |
| Private Key | Stays on your server. Must remain confidential. Required to complete installation. Never share or delete before confirming the install works. |
-----BEGIN CERTIFICATE REQUEST-----
MIIByjCCATMCAQAwgYkxCzAJBgNVBAYT...
-----END CERTIFICATE REQUEST-----
⚠️ Always generate the CSR on the server hosting your website. A CSR created on a different machine produces a Private Key mismatch — installation will fail and a new CSR will be required.
Common SSL Installation Mistakes
| Mistake | Consequence | Fix |
|---|---|---|
| No validation method prepared | Validation fails; certificate is never issued | Set up email inbox, DNS access, or file server access before activating |
| CSR generated on wrong server | Private Key mismatch; installation fails | Always generate on the server that hosts the website |
| Private Key deleted before install | Certificate cannot be installed; new CSR must be generated | Keep Private Key until installation is confirmed working |
| CA Bundle omitted | Browser 'untrusted chain' error despite a valid certificate | Include the full CA Bundle file during certificate installation |
| HTTPS redirect not configured | Visitors still reach the site via HTTP after installation | Configure a 301 redirect from HTTP to HTTPS |
| Mixed content errors | Browser shows warnings despite valid HTTPS | Ensure all page resources (images, scripts, CSS) load over HTTPS |
Post-Installation Checklist
- Site loads correctly over HTTPS
- Padlock visible in browser address bar
- HTTP redirects automatically to HTTPS (301)
- No mixed content warnings (check browser DevTools: F12 > Console)
- CA Bundle / certificate chain verified — no chain errors
- Certificate expiry date noted
- SSL installation confirmed with an SSL checker tool
Why SSL Matters
| Benefit | Details |
|---|---|
| Data security | Encrypts all traffic between visitor and server — essential for logins, forms, and payment flows |
| HTTPS & padlock | Browsers flag HTTP sites as 'Not Secure.' HTTPS removes that warning immediately |
| User trust | A padlock signals reliability; visitors are measurably more likely to engage and convert |
| SEO signal | HTTPS is one of several positive technical signals for search ranking; HTTP sites start at a disadvantage |
| Compliance | PCI DSS for payments, GDPR for personal data, and most hosting policies now require HTTPS as a baseline |
| API & webhooks | Many third-party APIs and payment gateways require HTTPS endpoints for production integration |
Related Resources
| Resource | URL |
|---|---|
| SSL Reseller Program | https://www.domainnameapi.com/ssl-reseller |
| API Test Platform Information | https://www.domainnameapi.com/domain-name-api-test-platform-information |
| WHMCS Integration | https://www.domainnameapi.com/whmcs |
| Domain Reseller | https://www.domainnameapi.com/domain-reseller |
| Plesk SSL Installation Guide | https://www.domainnameapi.com/knowledge-base/plesk-panel-ssl-installation |
| cPanel SSL Installation Guide | https://www.domainnameapi.com/knowledge-base/cpanel-ssl-installation |
| IIS CSR Generation Guide | https://www.domainnameapi.com/knowledge-base/how-to-generate-csr-code-using-iis |
| IIS SSL Installation Guide | https://www.domainnameapi.com/knowledge-base/how-to-install-ssl-certificate-on-iis |
Frequently Asked Questions
Is a CSR required for SSL installation?
Yes. The CSR is mandatory — the certificate authority uses it to issue a certificate specific to your domain. The Private Key created alongside the CSR is equally required for completing installation on your server.
Can I install SSL without an admin email address?
Yes. Email validation is the most common method, but DNS TXT record validation and HTTP file validation both allow you to verify domain ownership without creating any email inbox. Choose whichever method you have access to.
How does DNS TXT validation work?
The certificate authority generates a unique TXT record value. Add it to your domain's DNS zone at the root or a specified hostname. Propagation typically completes in 5–30 minutes, after which the CA verifies the record automatically and issues the certificate.
What is a Private Key and why does it matter?
A Private Key is a secret file generated on your server at the same time as the CSR. It is cryptographically paired with the certificate — without it, the certificate cannot be installed. Never share it with anyone, and do not delete it until the full installation is confirmed working.
What is a CA Bundle?
A CA Bundle (also called an intermediate certificate chain) is a set of certificates provided by the certificate authority alongside your SSL certificate. It links your certificate back to a trusted root CA. Without it, browsers may display a 'certificate chain' error even if your main certificate is valid. Always include the CA Bundle when installing.
What is a Wildcard SSL certificate?
A Wildcard SSL certificate covers your root domain and all first-level subdomains with a single certificate. The Common Name is written as *.example.com, which covers www.example.com, mail.example.com, shop.example.com, and so on. It does not cover second-level subdomains like sub.sub.example.com.
How long does SSL issuance take?
DV (Domain Validation) SSL certificates are typically issued within minutes of completing validation. OV (Organization Validation) takes 1–3 business days. EV (Extended Validation) usually takes 3–7 business days.
Can I move an SSL certificate to another server?
Yes, but you need both the certificate files and the original Private Key. Export the certificate, CA Bundle, and Private Key from the current server, then import them on the new server through its control panel. If the Private Key was lost, a new CSR must be generated and a certificate reissue requested.
What causes a certificate chain error?
A chain error means the CA Bundle (intermediate certificates) is missing or incomplete. Browsers trust SSL certificates by following a chain from your certificate to an intermediate certificate to a trusted root CA. If any link is missing, the browser displays an 'untrusted chain' error. Fix it by reinstalling with the complete CA Bundle.
Does HTTPS work automatically after installation?
Not by default. The certificate is installed on the server, but an HTTP-to-HTTPS redirect must be configured separately. In cPanel and Plesk this is usually a single toggle. In IIS it requires a URL Rewrite rule. Without it, visitors who type http:// will not be redirected.
How do I install SSL on cPanel?
Go to Security > SSL/TLS > Install and Manage SSL. Paste your certificate, Private Key, and CA Bundle into the relevant fields, then click Install Certificate. Full guide: https://www.domainnameapi.com/knowledge-base/cpanel-ssl-installation
How do I install SSL on Plesk?
Go to Domains > yourdomain.com > SSL/TLS Certificates > Add SSL/TLS Certificate. Paste or upload your certificate and Private Key. Then go to Hosting Settings and enable SSL/TLS support and the permanent HTTPS redirect. Full guide: https://www.domainnameapi.com/knowledge-base/plesk-panel-ssl-installation
How do I generate a CSR in IIS?
Open IIS Manager > click your server name > Server Certificates > Create Certificate Request (Actions panel). Enter your domain details, set Bit Length to 2048 or higher, and save the output file. Full guide: https://www.domainnameapi.com/knowledge-base/how-to-generate-csr-code-using-iis
What happens if a validation link or order expires?
Email validation links typically expire after 24–72 hours. DNS and HTTP validation methods don't expire on their own — they remain active until the CA verifies them or the order times out (usually 30 days). If anything expires, log in to your Domain Name API reseller panel to re-trigger validation without needing to generate a new CSR.
Conclusion
SSL installation is a two-phase, six-step process. Choose your validation method (email, DNS TXT, or HTTP file), generate a CSR on the correct server, protect the Private Key, complete validation, install the certificate with its CA Bundle, and verify HTTPS. The dedicated guides for Plesk, cPanel, and IIS walk through every click with screenshots.
✅ After installation, confirm the certificate chain is complete using any SSL checker tool. A missing CA Bundle is the most common post-install issue and is always resolved by reinstalling with the complete chain.
