• Monday, December 1, 2025

This guide outlines the essential steps for obtaining and installing a commercial SSL certificate within the Plesk control panel. Securing your website with an SSL certificate is crucial for encrypting data, protecting user privacy, and building trust. This process involves generating a Certificate Signing Request (CSR), validating domain ownership, installing the certificate files, and finally applying it to your domain.

While free SSL options like Let's Encrypt are available and offer a simplified installation process, this guide focuses specifically on commercial SSL certificates. If you are migrating an existing certificate from another provider or acquiring a new commercial certificate, the following instructions will guide you through each stage.

The guide is divided into distinct sections to help you navigate the process efficiently: Part A will walk you through generating your certificate signing request, which is a crucial first step. Part B covers the process of acquiring your certificate and validating your domain. Part C details the installation of the necessary certificate files in Plesk, and Part D explains how to apply the newly installed certificate to your domain to activate encryption.

If you already possess your SSL certificate files, you may proceed directly to Part C for installation and activation within Plesk.

Prerequisites for SSL Certificate Installation

Before you begin, ensure you have the following:

  • Access to your client area if you purchased your certificate through a hosting provider, to manage your services and download certificate files.
  • Direct access to your Plesk control panel. This is essential for generating the Certificate Signing Request (CSR) and installing the SSL certificate.

Part A: Generating Your Certificate Signing Request (CSR)

The first step in obtaining a commercial SSL certificate is to generate a Certificate Signing Request (CSR). This special encrypted text block contains information about your domain and organization, which will be sent to a Certificate Authority (CA) for verification and certificate issuance. A Certificate Authority is a trusted entity, such as Comodo, GeoTrust, or Symantec, that issues digital certificates. Often, certificates are obtained through a reseller, which facilitates the process.

  1. Log in to your Plesk control panel.
  2. Navigate to the "Websites & Domains" tab.
  3. Locate and click on the "SSL/TLS Certificates" or "Secure Your Sites" button.
  4. Select the "Add SSL Certificate" option. Even if you are renewing an existing certificate, it is generally recommended to generate a new CSR rather than reusing an old one.
  5. Assign a descriptive name to your certificate. This name is for your internal reference within Plesk and should help you easily identify the certificate, especially if you manage multiple domains or certificates. For instance, including the domain name and the acquisition date (e.g., yourdomain.com January 2024) can be beneficial.
  6. Review and adjust your contact information as needed. The details provided here, including your organization's name and contact email, will be embedded within the SSL certificate itself. It is critical that this information is accurate and matches your domain registration details. The email address provided must be accessible to you, as the certificate provider will use it for validation and to send your certificate files. Inaccurate information may lead to rejection by the SSL Certificate Provider.
  7. The "Domain name" field should be set to your primary domain name without the "www." prefix.
    • For Subdomains: If you intend to secure a specific subdomain, enter the full subdomain name (e.g., blog.yourdomain.com), again, without the "www." prefix.
    • For Wildcard Certificates: If you have purchased or plan to purchase a wildcard certificate to secure all subdomains, enter *.yourdomain.com.
  8. At this stage, you can disregard any sections below "Settings." These fields are typically populated after you have received your signed certificate from the CA.
  9. Click the "Request" button to generate your CSR. Plesk will likely redirect you to the list of certificates. Click on the name of the certificate you just created to view its details. Here, you can review the generated CSR and the associated Private Key. It is imperative to save the Private Key in a secure location. This key, along with the certificate, is essential for installation and re-installation should it ever be required. Losing the Private Key will necessitate purchasing a new certificate.

Part B: Acquiring and Validating Your SSL Certificate

Once you have generated your Certificate Signing Request (CSR), the next step involves acquiring your SSL certificate from a Certificate Authority (CA) or a reseller, and then validating your domain ownership. If you have not yet acquired an SSL certificate, you will need to do so now from a reputable provider.

If you have already purchased a certificate or are renewing an existing one, you will proceed to "configure" it. This usually involves logging into your provider's client portal, locating your SSL certificate service, and initiating the configuration process.

During the SSL configuration phase, you will be required to submit the CSR you generated in Part A. Following this, you will need to validate that you are the legitimate owner of the domain for which the certificate is being issued. Certificate providers typically offer several methods for domain validation. The most common types include:

1. Email Validation (Most Common Method)

Email validation is often the simplest and quickest method, particularly useful if your website is not yet live on its intended host or if you don't have direct access to your domain's DNS settings. When you select this option, you will be presented with a predefined list of email addresses associated with your domain (e.g., [email protected], [email protected], [email protected]). You must choose one of these addresses to receive an approval email. After submitting your certificate request, an email will be sent to the selected address, asking for your authorization. Simply follow the instructions in the email, which typically involves clicking a link and confirming your approval, to complete the validation.

2. HTTP Validation

HTTP validation is an excellent choice if your website is already live and accessible on your hosting server. With this method, the certificate provider will instruct you to create a specific directory structure and place a unique validation file within your website's root directory. You will typically be provided with:

  1. A precise directory path to create within your web root.
  2. A specific filename to use for the validation file.
  3. The exact content to be placed inside that file.

You can achieve this using an FTP client or your Plesk File Manager. For most primary domains in Plesk, the web root is the httpdocs folder. You will navigate to this folder, then create the directory .well-known (including the preceding dot) if it doesn't exist. Inside .well-known, create another folder named pki-validation. Once in the pki-validation folder, create a new file using the exact filename provided by your CA and insert the exact string of content into it. Both the filename and content are usually randomly generated strings unique to your validation request.

Once the file is correctly placed and accessible via a web browser, the CA will automatically detect it and proceed with validation. You then simply wait for the validation process to complete and for your certificate to be issued.

3. DNS Validation

DNS validation offers an alternative to email or HTTP methods, requiring you to modify your domain's DNS records. If you choose this option, you will need to log in to your domain's DNS hosting provider (where your domain's nameservers are managed) and use their interface to add a new DNS record. The certificate provider will supply you with:

  1. The specific type of DNS record to add (commonly CNAME or TXT).
  2. A unique subdomain value.
  3. A random string of characters to use as the record's value.

When adding the record, ensure the type matches the CA's specification (e.g., CNAME). Enter the subdomain value as instructed (e.g., _randomstring.yourdomain.com) and input the provided random string into the value field. Save your changes, and the CA will verify ownership by checking for this specific DNS record.

Upon successful validation, which can take anywhere from an hour to up to 24 hours (especially for DNS changes to propagate), the Certificate Authority will issue your SSL certificate. This will typically be sent to the email address you specified when generating the CSR in Part A.

Part C: Installing the SSL Certificates in Plesk

After your domain ownership has been successfully validated, you will receive your SSL certificate from your supplier, typically via email. This process usually completes within 24 hours, though some certificates requiring more extensive organizational verification may take longer. The email from your SSL provider should contain at least two essential files: your primary SSL certificate file and a CA Bundle (or intermediate certificate) file. If you acquired your certificate through a hosting provider, you might also be able to download these files directly from your client portal.

Uploading the Certificate and CA Certificate to Plesk

  1. Log in to your Plesk control panel.
  2. Navigate to the "Websites & Domains" tab and then select the specific domain for which you are installing the certificate.
  3. Click on the "SSL/TLS Certificates" button, and then proceed to "Advanced Settings" if available.
  4. From the list of certificates, select the certificate name you created earlier in Part A.
  5. Under the section titled "Upload the certificate files," you will find options to upload your certificate files. First, click the button to select your primary SSL certificate file from your computer. Then, repeat this step for the CA Certificate/Bundle file. It is crucial to upload both files correctly. (Tip: If you choose to copy and paste the certificate data under the "Upload the certificate as text" heading, ensure you include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" markers, as these are integral parts of the certificate data.)
  6. Finally, click the "Upload Certificate" button.

Your SSL certificate is now successfully installed within Plesk!

If there is a mismatch between the uploaded certificate and the Private Key generated earlier, Plesk will display an error message. A matching Private Key and Certificate are absolutely essential for a functional SSL installation. If an error occurs, you will need to ensure you have the correct, matching files. Upon successful upload, you will be redirected to the list of certificates, indicating that the installation is complete and ready for application.

Part D: Applying Your SSL Certificate to a Domain

With the SSL certificate now installed in your hosting plan, the final step is to configure your domain to actively use it. This involves telling your domain to secure its traffic with the newly uploaded certificate.

  1. If you are not already logged in to Plesk, do so now.
  2. Navigate to the "Websites & Domains" tab. If you see a list of domains, click on the specific domain to which you wish to apply the certificate.
  3. Locate and click either the "Web Hosting Settings" button or a similar link labeled "Hosting Settings" next to your domain name.
  4. On the hosting settings page, ensure the "Enable SSL Support" checkbox is selected. Below this option, a dropdown menu should appear, allowing you to select your new SSL certificate. If only one certificate exists for the domain in Plesk, it may be automatically selected.
  5. Scroll down to the bottom of the page and click "OK" to save the changes and apply the certificate to your domain.

You can now verify the successful installation by visiting your website using https://yourdomain.com. It may take a minute or two, and you might need to clear your browser cache or refresh the page several times to ensure your browser retrieves the new secure connection. A padlock icon in your browser's address bar indicates a successful SSL connection.

To further enhance security, it is highly recommended to configure your website to automatically redirect all HTTP traffic to HTTPS, ensuring that all visitors access your site securely. Refer to your server or website platform's documentation for instructions on how to force HTTPS across your entire site.

Troubleshooting Common SSL Issues

Even with careful installation, issues can sometimes arise. Here are some common troubleshooting steps and resources:

Using an SSL Checker Tool

An online SSL checker tool, such as SSL Shopper's SSL Checker, is an invaluable resource for diagnosing SSL installation problems. This tool can analyze your certificate chain, verifying that your site's certificate, intermediate certificates, and root certificate are correctly installed and linked. It will visually represent the certificate chain and highlight any missing certificates or incorrect order.

The SSL Checker Tool Shows a Broken Link

If an SSL checker tool indicates a broken link in your certificate chain, this typically means that the CA Bundle (intermediate certificate) provided by your issuer is not correctly configured or is missing, preventing your primary certificate from linking properly to the trusted root certificate. In such cases, you will need to contact your SSL certificate provider for assistance in resolving this issue. They can provide guidance on ensuring the complete certificate chain is correctly installed.

SSL Checker Indicates Correct Installation, But No Lock Icon Appears

If an SSL checker confirms that your certificate is installed correctly, but your browser still doesn't display the padlock icon when visiting the HTTPS version of your site, it often points to "mixed content" issues. This occurs when a secure HTTPS page attempts to load resources (like images, scripts, or CSS files) insecurely over HTTP. Your browser blocks these insecure requests, or at least flags them, to prevent potential vulnerabilities, which results in the absence of the padlock icon.

To resolve mixed content warnings, you'll need to inspect your website's code and identify the resources loading via HTTP. Your browser's developer tools (usually accessible by pressing F12) can help pinpoint these files in the Console or Network tab. Once identified, you should modify your website's code to ensure all resources are loaded securely using either relative paths (e.g., /path/to/image.jpg) or protocol-agnostic URLs (e.g., //yourdomain.com/path/to/image.jpg instead of http://yourdomain.com/path/to/image.jpg).

Back