How to Install an SSL Certificate (2024)

With an SSL certificate, your website can use the HTTPS protocol to securely transfer information from point A to B. This is crucial when transferring sensitive information like credit card data on checkout pages and personally identifiable information (PII) on login and contact forms.

In addition to security benefits, websites with SSL encryption get better rankings on Google and improved performance through the use of HTTP/2. It’s also important to understand thatSSL does not protect your website— rather, it protects the data that is sent through your website.

This guide is designed to show beginners and intermediate users how to add a free SSL certificate from Let’s Encrypt on their self-hosted websites.

It is now easier than ever to use HTTPS on your website. Beginners should start by having a conversation with their hosting company about the options they offer.

There are a few easy ways to add SSL to your website:

1. Some hosts offer free SSL, including one-click SSL options (i.e. SiteGround, WPEngine).
2. Many hosts offer paid SSL and will implement the certificates for you (i.e. GoDaddy).
3. Intermediate users can generate their own free SSL certificate (i.e. Certbot / Let’s Encrypt).

Regardless of the type of certificate you choose, the encryption and level of security is the same.

Some visitors recognize the additional authenticity and trust offered extended validation (EV) and organization validated (OV) certificates due to their rigorous validation process.

There are three types of certificates to be familiar with:

Domain Validated (DV)

DV certificates only need the certificate authority to verify that the user requesting the certificate owns and administers the domain. Visitors will see a lock icon in their address bar, but no specific information about the owner.

Organization Validated (OV)

OV certificates require a certificate authority to confirm the business making the request is registered and legitimate. When visitors click the green lock icon in their browser, the business name is listed.

Extended Validation (EV)

EV certificates require even more documentation for the certificate authority to validate the organization. Visitors will see the name of the business inside the address bar (in addition to clicking the lock icon); however, most updated browsers no longer display the EV visual indicator.

It’s important to understand the difference between commercial and free certificates.

Commercial (paid) SSL certificates

These are a decent option for many website owners. Paying a certificate authority (or your hosting company) will often give you the benefits of technical support. The encryption level is the same as with free SSL certificates. The key differentiator will come in the level of support you get with your certificate.

Free SSL certificates

These are being spearheaded by theLet’s Encryptinitiative – an open collaboration between a number of global organizations focused on making SSL certificates accessible to all website owners.

You can also get the benefits of SSL certificates through cloud providers, such as content delivery networks (CDNs) andwebsite application firewalls (WAFs)solutions like the one from Sucuri, who offer it at no additional charge.

These services are a proxy between the visitor and your website. By changing your domain records to point to their servers, they can cache your content tomake your website fasterand filter out malicious traffic. This also means that the browser recognizes which server IPs are connected to your domain, allowing for the use of DV certificates.

These providers can also work with your own SSL certificate. If you are a Sucuri customer, you can contact our technical support team for information and assistance.

The following guide works best if you have a dedicated IP for your site (through a VPS or dedicated server). If you’re on a shared platform, talk to your host about deploying Let’s Encrypt; a number of hosts have automated the process of deploying a free SSL for shared hosting accounts. It is possible to use server name indication (SNI) with one server IP address and generate certificates for all sites on the server.

The rest of this guide will assume you have full access and control of your web server.

You will need the following information about your server:

• IP address
• Server username (with admin or sudo privileges)
• User password (or preferably SSH key authentication)
• Software (i.e. Apache, nginx, IIS)
• Operating system and version number (i.e. Debian 7, Ubuntu 16.04, etc.)

Now that you have all the required information, you can connect to your server and install a tool that will generate an SSL certificate.

From your computer, you need a way to log into your server and send SSH commands. If you are on a Mac, you can use Terminal (built-in application) and on Windows you can download PuTTY. Some hosts also offer a web interface for running commands on your server.

Here is a quick overview of how you can get a free SSL certificate from Let’s Encrypt using the Certbot tool.

Overview of steps to use Certbot:

1. Connect to your server over SSH using the IP address, username, and password.
2. Visit theCertbot websiteand choose your server operating system and software.
3. Follow the instructions given for your server to do the next steps.
4. Run any commands listed to install dependencies.
5. Run the commands listed to install Certbot.
6. Run the commands listed to generate the certificate.
7. Provide an email address when prompted.
8. Agree to the terms when prompted.
9. Run the commands listed to test renewals under Automating Renewal.
10. Set up a cron or systemd job on your server to automate the renewal process

The following images and animations illustrate the entire process for a server using Apache on Ubuntu 16.04.

Make a Secure Backup

After generating the certificate the Important Notes shows the location of your Certbot configuration directory. This contains your account credentials, certificate, and private keys.

You should navigate to this location on your server and download a backup. If you aren’t sure how to do this, you can follow our post onhow to make backups over the command line.

Now you have an active SSL certificate on your site! Your certificate will expire, however. Let’s Encrypt certificates are only valid for 90 days. You can automate this process so you don’t have to remember to manually renew the certificate.

It’s recommended to set the cron or systemd job to renew the certificate twice a day. Before you begin, note the location of your Certbot configuration directory from the previous step.

To schedule the cron job that renews the SSL certificate:

1. Connect to your server.
2. Run the commandcrontab -e
3. If prompted, choose a text editor (i.e. nano)
4. Enter the following command, taking care to replace the location with the one provided when you generated the certificate:
   52 0,12 * * * root /var/log/letsencrypt/certbot-auto renew --quiet
5. Open your website to verify it is operational

You can view thefull documentation on Certbot renewalsfor more information.

These charitable organizations are working to help make the internet a safer place for everyone. While these tools are free, you can donate to help support both Let’s Encrypt and Certbot.

1. https://letsencrypt.org/donate/
2. https://supporters.eff.org/donate/support-work-on-certbot

We’ve outlined instructions below for how to manually install a certificate (free or paid) using a hosting control panel such as Plesk or cPanel

How to install an SSL cert via the Plesk control panel:

1. Generate a CSR login to thePlesk admincontrol panel.
2. In the Websites and Domains section for the domain name you want to use, clickSSL/TLS Certificates.
3. ClickAdd SSL Certificate.
4. Enter aCertificate name, complete the fields in theSettingssection, and then clickRequest.
5. Click the name of the certificate you added to Plesk.

Your certificate signing request displays in theCSRsection.

How to upload your SSL certificate:

1. Login to thePlesk admincontrol panel.
2. In the Websites and Domains section for the domain name you want to use, clickSSL/TLS Certificates.
3. Use theUpload the certificate filessection to upload the certificate files from your local machine, and then clickSend Files.

How to activate your SSL certificate:

1. Go to theWebsites & Domainstab of the Plesk admin control panel.
2. In the section for the domain name you want to use, clickHosting Settings.
3. In theSecuritysection, selectSSL support.
4. Select theCertificateyou created, and then clickOK.

How to generate a new Certificate Signing Request (CSR):

1. Log into your cPanel admin
2. From the cPanel home page, go to Security section, and then click SSL/TLS
3. Under Certificate Signing Requests (CSR), click Generate, view, or delete SSL certificate signing requests.
4. Complete the fields in the Generate a New Certificate Signing Request (CSR) section.
5. At the bottom of the form, click the Generate button.
6. On the new page, your CSR will display in the Encoded Certificate Signing Request section. You’ll need to make a copy of the CSR to request an SSL certificate.

How to install the SSL certificate:

1. Launch cPanel admin.
2. In the Security section, click SSL/TLS.
3. Under Certificates (CRT), click Generate, view, upload, or delete SSL certificates.
4. Use the Upload Certificate section to upload the primary certificate (.crt file with randomized name) from your local machine and click Upload Certificate.
5. On the new page, click Go Back.
6. Scroll down to the bottom of the SSL Certificates page and click Return to SSL Manager.
7. Under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites.
8. Scroll down to the Install an SSL Website and click Browse Certificates.
9. Select the certificate that you want to activate and click Use Certificate. This will auto-fill the fields for the certificate.
10. Scroll down to the bottom of the page and click Install Certificate.
11. On the Successfully Installed pop up, click OK

To force visitors to access your site only over HTTPS, you can edit your.htaccessorweb.configfile depending on your operating system and configuration. You can find this in the root of your site, and you may need to show hidden files to find it. Make sure to backup your control files before making any changes.

There are other methods for Apache, such as using yourvirtual host file. If you use an IIS server you can follow instructions to use the URLRewrite Moduleand nginx servers can use thenginxconfiguration file.

Copy this directive into the .htaccess file to redirect HTTP visitors to the HTTPS version of your site:

Code Snippet – Add into .htaccess file:

While your site is now available on HTTPS, you might still have resources linked to your website that load over HTTP. This includes things like images, videos, and external resources.

Browsers will block this content as “unsafe”, which can also cause broken functionality of your site and security warnings in browsers.

You can use the same SSH access that you used to generate the certificate to run a command and find any files that reference http:// directly.

To find resources loading over HTTP, run the following command:

grep -r "http://"

This will list all files to investigate in your server or CMS. Simply change all resource URLs fromhttp://tohttps://or to a relative path.

You should also query your database or manually look through posts and pages for HTTP content. There are plugins and extensions available that can automate the process of rewriting URLS using HTTP to HTTPS (i.e.Really Simple SSLfor WordPress).

If the HTTP resource is stored on your own website, we recommend using the relative directory and filename as follows.

Absolute Path:

<img src="https://example.com/images/pic.jpg">

Relative Path:

<img src="/images/pic.jpg">

The last thing to prepare for is the potential negative impacts of using HTTPS. Following the steps below should help to minimize them.

Once configured, add and verify the new HTTPS site inGoogle Search Console. This will allow you to recrawl your site and submit a new XML sitemap with your HTTPS URLs.

For many SEO elements like “rel=canonical” and “open graph” tags, it is advisable to use an absolute URL, as these are read externally by social media sites and search engine crawlers.

It’s important to note that there will be a period of normalization after applying SSL, but in the end, it is a confirmed ranking signal according to Google.

Similarly, social sharing counters for older content will likely become invalid. This is because now there is a new URL starting with HTTPS rather than HTTP, and many tools count each as a separate URL with its own engagement metrics.

HTTPS is a great thing for the internet as a whole, it helps keep communication secret between users and the websites they visit. SSL secures data in transit but does not secure the website itself.

Website security is much more comprehensive than HTTPS/SSL alone. Think of HTTPS/SSL as one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensure your visitors are safe if you do not take to establish a secure hosting environment, such as using secure passwords and updating all website software.

We encourage website owners to think about website security holistically and consider leveraging awebsite security platformthat offers a complete suite of security controls: protection, detection, monitoring, and incident response. If you have more questions on how platforms work or questions about this article please direct them to our team atinfo@sucuri.net.