How to Install an SSL Certificate

Step-by-step instructions for installing an SSL certificate on Nginx, Apache, IIS, cPanel, Plesk, and Cloudflare. Plus verification with openssl and common installation errors.

You have your SSL certificate files. Now you need to install them on your server so browsers actually use HTTPS when connecting to your site. The exact steps depend on your web server software or hosting platform, but the core concept is the same everywhere: tell your server where to find the certificate, the private key, and the intermediate chain.

This guide covers the most common installation scenarios. If you need a primer on how SSL/TLS works before diving in, see the SSL/TLS guide.

What You Need Before Starting

Before you begin installation, you should have three files:

  1. Your certificate file (.crt or .pem) -- the certificate issued by the CA for your domain.
  2. Your private key (.key) -- generated when you created the CSR. This must match the certificate.
  3. The intermediate certificate bundle (.ca-bundle or chain.pem) -- the CA's intermediate certificates that chain your certificate to a trusted root.

Some CAs provide the certificate and chain as separate files. Others bundle them together. If you are not sure what you have, open the files in a text editor. Each certificate block looks like this:

-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOx...
-----END CERTIFICATE-----

Your certificate file should have one block. The chain file may have one or more blocks. If you received a single file with multiple certificate blocks, the first one is usually your certificate and the rest are the chain. For a full explanation of certificate chains, see SSL Certificate Chain Explained.

Installing on Nginx

Nginx is one of the most popular web servers, and its SSL configuration is straightforward.

Step 1: Upload Certificate Files

Copy your certificate, private key, and chain to a directory on the server. A common convention:

sudo mkdir -p /etc/nginx/ssl/example.com
sudo cp example.com.crt /etc/nginx/ssl/example.com/
sudo cp example.com.key /etc/nginx/ssl/example.com/
sudo cp ca-bundle.crt /etc/nginx/ssl/example.com/

Set restrictive permissions on the private key:

sudo chmod 600 /etc/nginx/ssl/example.com/example.com.key

Step 2: Combine Certificate and Chain

Nginx expects the certificate and intermediate chain in a single file, with your certificate first.

cat example.com.crt ca-bundle.crt > /etc/nginx/ssl/example.com/fullchain.crt

Step 3: Configure the Server Block

Edit your Nginx server block configuration (typically in /etc/nginx/sites-available/ or /etc/nginx/conf.d/):

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate     /etc/nginx/ssl/example.com/fullchain.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com/example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/example.com;
    index index.html;
}

Add an HTTP-to-HTTPS redirect:

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Step 4: Test and Reload

# Test the configuration for syntax errors
sudo nginx -t

# If the test passes, reload Nginx
sudo systemctl reload nginx

If nginx -t reports errors, check that the file paths are correct and that the certificate and key match. A mismatched key/certificate pair is one of the most common installation errors.

Installing on Apache

Apache uses the mod_ssl module for HTTPS. On most Linux distributions, it is installed but may need to be enabled.

Step 1: Enable mod_ssl

# Debian/Ubuntu
sudo a2enmod ssl
sudo systemctl restart apache2

# CentOS/RHEL
sudo yum install mod_ssl
sudo systemctl restart httpd

Step 2: Upload Certificate Files

sudo mkdir -p /etc/apache2/ssl/example.com
sudo cp example.com.crt /etc/apache2/ssl/example.com/
sudo cp example.com.key /etc/apache2/ssl/example.com/
sudo cp ca-bundle.crt /etc/apache2/ssl/example.com/
sudo chmod 600 /etc/apache2/ssl/example.com/example.com.key

Step 3: Configure the Virtual Host

Edit your virtual host configuration (typically in /etc/apache2/sites-available/):

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com

    SSLEngine on
    SSLCertificateFile    /etc/apache2/ssl/example.com/example.com.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example.com/example.com.key
    SSLCertificateChainFile /etc/apache2/ssl/example.com/ca-bundle.crt

    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>

Unlike Nginx, Apache takes the certificate and chain as separate files. The SSLCertificateChainFile directive points to the intermediate bundle.

Add an HTTP redirect:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    Redirect permanent / https://example.com/
</VirtualHost>

Step 4: Test and Restart

# Debian/Ubuntu
sudo apache2ctl configtest
sudo systemctl restart apache2

# CentOS/RHEL
sudo httpd -t
sudo systemctl restart httpd

Installed your certificate? Make sure it stays valid.

Monitor your SSL certificates and get alerts before they expire. Catches renewal failures and chain issues automatically.

Try SSL Certificate Expiry

Installing on IIS (Windows Server)

Step 1: Import the Certificate

  1. Open IIS Manager.
  2. Select the server node in the left panel.
  3. Double-click Server Certificates.
  4. Click Import in the Actions panel.
  5. Browse to your .pfx file (if you have separate .crt and .key files, you need to convert them to .pfx first -- see below).
  6. Enter the password and click OK.

To convert PEM files to PFX:

openssl pkcs12 -export -out example.com.pfx -inkey example.com.key -in example.com.crt -certfile ca-bundle.crt

Step 2: Bind the Certificate to a Site

  1. In IIS Manager, expand Sites and select your site.
  2. Click Bindings in the Actions panel.
  3. Click Add.
  4. Set Type to https, Port to 443.
  5. Select your certificate from the SSL certificate dropdown.
  6. Click OK.

Step 3: Verify

Browse to https://yourdomain.com and check that the padlock appears. IIS does not require a restart for binding changes.

Installing via cPanel

If your hosting uses cPanel, installation is done through a web interface.

  1. Log in to cPanel.
  2. Go to Security > SSL/TLS.
  3. Click Manage SSL sites under "Install and Manage SSL for your site."
  4. Select the domain from the dropdown.
  5. Paste your certificate into the Certificate (CRT) field.
  6. Paste your private key into the Private Key field.
  7. Paste the intermediate bundle into the Certificate Authority Bundle (CABUNDLE) field.
  8. Click Install Certificate.

cPanel validates that the key matches the certificate before installing. If you get an error saying the key does not match, you may have generated a new CSR/key pair and submitted an older CSR to the CA.

Many cPanel hosts also have AutoSSL enabled, which provisions and installs free certificates automatically. Check with your host before manually installing -- you may not need to.

Installing via Plesk

  1. Log in to Plesk.
  2. Go to Websites & Domains and select the domain.
  3. Click SSL/TLS Certificates.
  4. Click Add SSL/TLS Certificate.
  5. Upload or paste the certificate, private key, and CA bundle.
  6. Click Upload Certificate.
  7. Go back to the domain's hosting settings and select the certificate under SSL/TLS support.

Installing with Cloudflare

If you use Cloudflare, the edge certificate (the one visitors see) is managed automatically. But you should also install a certificate on your origin server to encrypt the connection between Cloudflare and your server.

Cloudflare offers free Origin CA certificates specifically for this purpose:

  1. In the Cloudflare dashboard, go to SSL/TLS > Origin Server.
  2. Click Create Certificate.
  3. Choose your hostnames and validity period (up to 15 years).
  4. Cloudflare generates the certificate and private key.
  5. Copy both and install them on your origin server using the Nginx or Apache instructions above.
  6. Set SSL/TLS mode to Full (Strict).

Origin CA certificates are only trusted by Cloudflare -- they will not work if traffic bypasses Cloudflare. But for the specific purpose of securing the Cloudflare-to-origin connection, they are the simplest option.

Verifying the Installation

After installing, verify that everything is working correctly.

Browser Check

Visit your site with https:// and click the padlock icon. You should see your certificate details including the domain name, issuer, and expiry date.

OpenSSL Command Line

The openssl command gives you the most detailed view of what the server is actually presenting:

openssl s_client -connect example.com:443 -servername example.com

This outputs the full certificate chain. Look for:

  • Certificate chain: Should show your certificate, intermediate(s), and root. If intermediates are missing, browsers may show untrusted certificate warnings on some devices.
  • Verify return code: 0 (ok) -- means the chain is valid.
  • Protocol and cipher: Confirms which TLS version and cipher suite was negotiated.

To check just the certificate dates:

echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
notBefore=Apr 21 00:00:00 2026 GMT
notAfter=Jul 20 23:59:59 2026 GMT

For more ways to inspect your certificate, see How to Check an SSL Certificate.

Online Tools

SSL Labs (ssllabs.com/ssltest) runs a comprehensive test that checks your certificate chain, protocol support, cipher suites, and known vulnerabilities. It gives you a letter grade from A+ to F. Aim for A or A+.

Common Installation Errors

Certificate and Key Mismatch

Symptom: The server fails to start or shows an error like "key values mismatch" or "SSL_CTX_use_PrivateKey_file failed."

Cause: The private key does not correspond to the certificate. This happens when you generate a new CSR/key pair but submit an older CSR to the CA.

Fix: Verify the key matches the certificate:

# These two commands should output the same modulus
openssl x509 -noout -modulus -in example.com.crt | openssl md5
openssl rsa -noout -modulus -in example.com.key | openssl md5

If the MD5 hashes differ, you need to generate a new CSR with the current key and get a new certificate, or use the key that was originally generated with the CSR.

Incomplete Certificate Chain

Symptom: The site works in Chrome on desktop but fails on older Android devices, certain API clients, or command-line tools like curl.

Cause: You installed your certificate but not the intermediate certificates. Modern desktop browsers can often fetch missing intermediates on their own, but many clients cannot.

Fix: Install the full chain. Your CA provides the intermediate bundle. Concatenate it with your certificate (for Nginx) or specify it separately (for Apache). For a deep dive, see SSL Certificate Chain Explained.

Wrong Certificate for the Domain

Symptom: Browser shows "NET::ERR_CERT_COMMON_NAME_INVALID" or similar hostname mismatch error.

Cause: The certificate was issued for a different domain, or you are accessing the site via a hostname not covered by the certificate's SAN (Subject Alternative Name) list.

Fix: Check the certificate's SAN list:

openssl x509 -noout -text -in example.com.crt | grep -A1 "Subject Alternative Name"

Make sure every hostname your site uses (including www and non-www) is listed. If not, you need a new certificate that covers all required hostnames.

Permission Errors

Symptom: The web server cannot read the private key file.

Cause: File permissions are too restrictive, or the web server process does not have access.

Fix: The private key should be readable by root and the web server user only:

sudo chown root:root /etc/nginx/ssl/example.com/example.com.key
sudo chmod 600 /etc/nginx/ssl/example.com/example.com.key

On systems where Nginx runs as the www-data user, you may need to adjust the group ownership. For how to diagnose and fix other SSL errors, see How to Fix SSL Errors.

Mixed Content After Installation

Symptom: The padlock shows a warning or is missing, even though the certificate is installed correctly.

Cause: Your pages load some resources (images, scripts, stylesheets) over HTTP instead of HTTPS.

Fix: Update all resource URLs to use HTTPS or protocol-relative URLs. Check your browser's developer console for mixed content warnings. For validating your full SSL setup, see How to Validate an SSL Certificate.

Monitor your SSL certificates automatically

After installation, the next risk is expiry. Monitor your certificates and get alerts before they lapse.

Try SSL Certificate Expiry

References

  • Nginx, "Configuring HTTPS servers," https://nginx.org/en/docs/http/configuring_https_servers.html
  • Apache, "mod_ssl Documentation," https://httpd.apache.org/docs/current/mod/mod_ssl.html