Installing Third-Party SSL Certificates Manually in cPanel

AutoSSL via Let’s Encrypt handles 95% of SSL needs for free. The remaining 5%: you bought a wildcard from somewhere outside iWebVault, you need an Extended Validation (EV) cert for compliance, your enterprise requires a specific certificate authority. cPanel’s SSL/TLS Manager lets you install these manually. This guide walks through generating a CSR, installing the cert files, and the gotchas around chain certificates.

Do you actually need a paid certificate?

Reasons to use paid SSL:

• Wildcard for multiple subdomains. Let’s Encrypt supports wildcards via DNS-01 challenge but requires DNS automation. Some setups need a purchased wildcard for convenience.
• Extended Validation (EV). Visually distinct in browser address bar (showing company name). Some industries require it.
• Organization Validation (OV). Certificate identifies the legal entity behind the domain.
• Specific CA requirement. Some industries / payment processors require specific certificate authorities.
• Warranty terms. Paid certs come with insurance-style warranties (rare actual use).

For typical small business sites: Let’s Encrypt is sufficient. AutoSSL handles renewal automatically; browsers display the same “secure” indicator as paid certs.

The flow at a glance

1. Generate a private key + Certificate Signing Request (CSR) in cPanel.
2. Submit CSR to your certificate authority (Comodo, DigiCert, Sectigo, etc.) and complete validation.
3. CA issues the certificate; you download three files: certificate (.crt), CA bundle (.ca-bundle), private key (you already have).
4. Install the cert + key + bundle in cPanel SSL/TLS Manager.
5. Verify it’s serving on the domain.

Step 1: Generate private key and CSR

1. cPanel → Security → SSL/TLS.
2. Click Generate, view, or delete SSL certificate signing requests.
3. Click Generate a New Certificate Signing Request (CSR).
4. Fill in:
   • Key — pick “Generate a new 2,048 bit key” (or 4096 for higher security).
   • Domains — your domain (yourdomain.com). For wildcard, use *.yourdomain.com.
   • City, State, Country — your business location.
   • Company — your legal entity name (matters for OV/EV).
   • Company Division — like “IT Department” (optional).
   • Email — for CA correspondence.
   • Description — note about which domain this is for.
5. Generate.

cPanel displays both the CSR (long text block starting -----BEGIN CERTIFICATE REQUEST-----) and stores the private key.

Copy the CSR text. You’ll paste this into your CA’s order form.

Step 2: Submit CSR to certificate authority

Process varies by CA but generally:

1. Log into your CA account (or resell partner like Namecheap, Cheapsslsecurity, etc.).
2. Choose your certificate product.
3. Paste your CSR.
4. Complete domain validation:
   • Email validation — receive email at admin@, hostmaster@, etc. (must have those addresses or forwarders).
   • DNS validation — add a TXT record they specify.
   • HTTP file validation — upload a specific file to your site root.
5. For OV/EV — additional business documentation (articles of incorporation, etc.).
6. CA issues certificate within minutes to days depending on validation type.

You receive an email with the issued cert files attached or available for download.

Step 3: Install the certificate

1. cPanel → Security → SSL/TLS.
2. Click Manage SSL sites (Install and Manage SSL).
3. Select your domain from the dropdown.
4. Three fields:
   • Certificate (CRT) — paste your issued certificate. Begins -----BEGIN CERTIFICATE-----.
   • Private Key (KEY) — cPanel auto-fills from the key you generated earlier. Verify it’s there.
   • Certificate Authority Bundle (CABUNDLE) — paste the intermediate certificates the CA sent.
5. Install Certificate.

Within seconds the cert is active. Visit your site at https://yourdomain.com — should show the new cert when you click the padlock.

About the CA bundle (intermediate certificates)

The “chain of trust” goes: your certificate → intermediate CA → root CA. Browsers trust roots; intermediates connect roots to your cert.

If you don’t install the CA bundle, browsers may show:

• “Certificate chain incomplete” warnings.
• Trust errors on mobile browsers / older browsers (they don’t auto-fetch intermediates).
• Some payment processors and APIs reject your endpoint.

The CA always provides this bundle in your issuance email. If they sent multiple intermediate files, concatenate them (intermediate cert first, then any sub-root) in the CABUNDLE field.

Test installation

• Visit SSL Labs Test — enter your domain. Get a full report with grade (aim for A or A+) and chain validity.
• Test mobile browser specifically (often catches chain issues desktop misses).
• Test from a different network or use online checkers like sslshopper.com.

Renewing third-party certificates

Unlike AutoSSL, paid certs do NOT auto-renew. You must:

1. Receive renewal notice from CA (typically 30-60 days before expiration).
2. Pay the renewal.
3. Generate a new CSR (best practice — gives you a new key too).
4. Submit, validate, receive new cert.
5. Install new cert via Manage SSL sites (overwrites the old one).

Set a calendar reminder for 45 days before expiration. Expired certificates instantly break HTTPS for visitors — browsers refuse to load.

If you forget and the cert expires, AutoSSL may automatically take over with a Let’s Encrypt cert — verify after.

Wildcard certificate notes

Wildcard *.yourdomain.com covers all single-level subdomains (blog.yourdomain.com, shop.yourdomain.com). It does NOT cover:

• The bare domain yourdomain.com (without subdomain) — separately covered with Subject Alternative Name (SAN) entry.
• Two-level subdomains like staging.blog.yourdomain.com.

Make sure the CSR includes both yourdomain.com and *.yourdomain.com as SANs, or buy a multi-domain wildcard.

Forcing HTTPS site-wide

Cert installation alone doesn’t force HTTPS — visitors arriving at http:// still get plain HTTP. Add to .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

.htaccess essentials.

Common issues

“Certificate and key don’t match.” You generated CSR on one server, certificate is being installed on another, OR the cert was issued without using your CSR’s key. Regenerate CSR on the target server, request a reissue from CA.

“Browser shows incomplete chain.” CA bundle missing or incomplete. Get the intermediate certificates from CA, install in CABUNDLE field.

“Cert installs but site still shows old AutoSSL cert.” Browser cache. Hard refresh, or test in incognito.

“My cert expired and AutoSSL didn’t take over.” AutoSSL exclusions may be in place to preserve your paid cert. cPanel → SSL/TLS Status → check that AutoSSL is enabled for your domain.

“Lost my private key.” The private key is generated when you create the CSR and stored in cPanel. If the cPanel record is deleted or corrupted, you can’t install the matching cert. CA can reissue with a new CSR you generate fresh — but the old cert is then unusable.

When to ask for help

• Cert is for a regulated industry (banking, healthcare) and you need certainty.
• Chain issues that the CA’s docs don’t resolve.
• Migrating an existing cert from another server.
• EV certificate validation getting stuck on business documentation.

Open a ticket — for paid cert installation, we can do it for you if you provide the cert files.

What’s next

• Free SSL alternative: AutoSSL guide.
• Wildcard via Let’s Encrypt (free alternative to paid wildcards): Wildcard SSL.
• HTTPS enforcement: .htaccess essentials.

Most sites don’t need paid certificates. When you do — wildcard for many subdomains, EV for compliance, specific CA for a vendor — the cPanel SSL/TLS Manager handles installation cleanly. Five steps: CSR, submit, validate, install, verify. The most common failure point is the CA bundle — don’t skip that field.