How to install an SSL Certificate in Plesk

This guide will walk you through the steps necessary to obtain and installing a commercial SSL certificate in Plesk.

If you wish to install a free Let’s Encrypt certificate with Plesk, the process is much simpler and you can learn all about it here. The Let’s Encrypt guide at that link replaces this one only for Let’s Encrypt certificates as the process is very different in that it automated all of this turning it into a one-click version of the steps below.

If you are moving or ordering your certificate from another provider or ordering a commercial certificate from us, then the below steps are what you need!

Parts A and B will guide you through the steps necessary to obtain your certificate. If you’re not sure which type of certificate to choose, we’ve got a guide to help you with this process here. Part C will help you install the certificate in Plesk after it has been obtained, and Part D will ensure that your newly installed certificate is applied to your domain.

If you already have your SSL Certificate then you can skip to Part B to get it installed and activated in Plesk.

Things you will need

  • If you are a customer of Websavers, ensure you can log in successfully to the Websavers Client Centre.
  • If you are not hosting your website with us, then be sure you have Plesk access.

Part A: Generating your signing request

This will guide you through the process of creating the special code called a Certificate Signing Request (CSR) that will be sent to your certifying authority (CA). The Certifying Authority is a fancy name for the company that issues the certificate, like Comodo or GeoTrust or Symantec. In most cases you’ll be getting that certificate from a reseller; this could be us or another company, although we can only provide support for the certificate if you buy from us.

  1. Login to Plesk. If you’re hosted with us, click here to learn how.
  2. Click the Websites & Domains tab
  3. Choose the “Secure your Sites” or “SSL Certificates” button
  4. Choose the “Add SSL Certificate” button. If you’re renewing a certificate the old one will appear in the list, but you should still choose the option to add a new one — it’s not recommended to re-use the CSR from the previous certificate.
  5. Name the certificate. This can be named anything that you choose, however we suggest using something that helps identify the certificate in the likely event that you purchase additional certificates at a later date. For example, including the current date and domain name it will be used for is often helpful. E.g.: websavers.ca Dec 2013 – Dec 2015
  6. Make any needed adjustments to your contact information. This information will be embedded in the SSL Certificate and should be similar to your domain registration information. The email address should match that which you used to register the domain and must be accessible to you, otherwise you will not receive the certificate from your certificate provider. Falsified information is likely to be rejected by your SSL Certificate Provider.
  7. The Domain name field must be set to your domain name without the www. part.
    1. Subdomains: If you’re opting to secure a subdomain, enter the full subdomain instead, but again: do not include www.
    2. Wildcard Certificates: If you have purchased or intend to purchase a wildcard certificate enter *.<your_domain>
  8. For now you can ignore anything below the “Settings” section — the remaining sections will be filled out after you receive your certificate.
  9. Click the “Request” button to have your CSR generated and Plesk will likely take you back to the list of certificates. If so, then click on the name of the certificate you just created to view it again. You can now review the CSR and Private Key. Save the Private Key in a safe location. Should anything occur with your server that the certificate must be re-entered you MUST have at least the Certificate and Private Key on hand to resupply, otherwise you will need to purchase a new certificate.

Part B: Purchasing and validating your certificate

If you have not yet purchased an SSL certificate, do so now. You can purchase a commercial SSL certificate from us here.

If you have already ordered a certificate from Websavers, then this is the time to “configure” the certificate. This can be done by logging in to the Client Centre, choosing Plans & Services, click on your SSL certificate in the list, then choose the Configure button. We have also sent you an email that includes a direct link to the SSL certificate configuration page.

Whether you purchase the certificate from us or not, you will need to supply the CSR you generated in Part A and you will need to validate that you own the domain the certificate will be used on in order to receive the certificate. During the SSL configuration phase, you will be asked to choose the type of validation you wish to use. There may be up to 3 types of validation available:

1. Email Validation (Most Common)

Email validation is best if you don’t have access to the DNS and the site is not yet live on your hosting with us, as you can still receive your certificate prior to making any DNS changes.

If you choose email validation, you will be prompted to select from a fixed list of email addresses from which you can approve the certificate. You cannot enter an email address here — you must choose one from the list. After submitting the certificate for validation, you will get an email at the selected address requesting approval for the certificate. Follow the directions within to provide authorization — it’s usually as simple as following a link, checking an “I approve” box, and clicking submit.

2. HTTP Validation

HTTP validation is best if your website is live on your intended host. If you choose HTTP validation, you will be provided with three things:

  1. A directory structure you must create in your web root (the folder where your website resides)
  2. A filename to use
  3. The contents to enter in the file

You can use either FTP or the Plesk File Manager (easier) to take care of all of this. Typically it asks you to navigate to your web root (this is the httpdocs folder for your primary domain in Plesk), then (if these folders don’t yet exist) create the folder ‘.well-known’ (with the dot at the start). Within the .well-known folder, create another folder called ‘pki-validation’. If those folders already exist, then simply navigate to the existing pki-validation folder. Now add a new file with the exact filename provided and edit the file to insert the exact contents provided. It’s usually both a randomly generated filename and a randomly generated string to insert.

That’s all there is to it: now you wait for the validation to occur and the certificate to be created and sent to you.

3. DNS Validation

If you choose DNS Validation, rather than waiting for an email, or creating a file at your web host, you instead need to login to the domain’s DNS hosting provider and use their tools to add a new DNS record. Typically they’ll provide you with three things:

  1. The type of DNS record (usually CNAME)
  2. A subdomain to use
  3. A random string for the value

When adding the record at your DNS host, be sure to specify that the type matches what the SSL supplier indicates. Typically this is type CNAME (but it may also be TXT). Enter the subdomain value such that it looks like <random_string>.yourdomain.com and enter the random value where provided then save your changes.


Unless you have ordered a more complicated EVSSL, shortly thereafter the CA will issue your certificate and send it to the email address you specified when generating the CSR in Part A. Typically you will receive the certificate within 1 hour, although DNS validation may take up to 24 hours depending on how quickly your DNS host submits changes to the central registries.

Part C: Installing necessary certificates in Plesk

You will receive the Certificate from your SSL supplier by email, normally within 24 hours. Cheaper certificates are typically emailed within an hour and more expensive ones (like EVSSL) can take up to a week or even longer to verify your company’s identity.

When you receive your SSL Certificate by email, the email should contain at least two attached files, your certificate, and a CA Bundle certificate file.

Inserting the Certificate and CA Certificate

  1. Login to Plesk. If you’re hosted with us, click here to learn how.
  2. Click the Websites & Domains tab
  3. Choose the “Secure your Sites” or “SSL Certificates” button
  4. Select the certificate you added in Part A from the list
  5. Use the “Upload the certificate files” option to select your certificate file and the CA Certificate/Bundle file from your computer. If you are copy/pasting the text rather than uploading the files, make sure to include the “—–BEGIN CERTIFICATE—–” and end parts. They are considered part of the certificate.
  6. Click the “OK” or “Upload Certificate” button.
Your certificate is now installed in Plesk!
 If the Private Key does not match the Certificate then you will see an equivalently named error. You MUST have a matching Private Key and Certificate in order to use a Certificate, otherwise you must purchase a new certificate. If you provided a matching certificate and private key, you will be sent back to the list of certificates and all will be ready to go.

Part D: Applying your certificate to a domain

You now have the certificate saved to your hosting plan, however your domain is not yet configured to actually use it. Complete the following steps to tell your domain to make use of the certificate.

  1. If you’re not already logged in to Plesk, do so now. If you’re hosted with us, click here to learn how.
  2. Navigate to the “Websites & Domains” tab and choose either the “Web Hosting Settings” button or a link beside your domain that says “Hosting Settings”.
  3. Ensure the “Enable SSL Support” box is checked and in the dropdown below, select your new certificate. If there is no drop down, it should automatically apply your certificate as it must be the only one in Plesk for the domain. Scroll down and click OK to apply the certificate to your domain.

You can now check that your certificate is installed by loading https://yourdomain.com. You may need to wait 1 minute, clear your browser cache, or refresh your browser a few times to force it to retrieve the new certificate.

If you wish to force HTTPS/SSL throughout your site, check out our article on how to force https across your whole site here!

Troubleshooting

This SSL Shopper tool is one of the best at determining whether a certificate is correctly installed along with its intermediate certificates. It will show you a graphic of each certificate along the chain that begins with your site’s certificate and jumps to each intermediate until it reaches the root. If there is a missing certificate or if they’re installed in the wrong order, this tool will tell you.

The SSL Shopper tool is showing me a broken link

This means that the CA Bundle that your issuer provided is not correctly linking your certificate to the root. If you did not purchase the certificate from us, you’ll need to ask your certificate provider for help with fixing this. If you did purchase the certificate from us, simply open a ticket indicating that you’ve completed this guide and that the SSL shopper tool is showing a broken link and we’ll get it fixed for you.

SSL Shopper says all is well, but I still don’t get a lock in my address bar

If the SSL Shopper tool is indicating the certificate is installed correctly but you’re not seeing the lock in your browser when visiting the secure URL this indicates that some resources are forcefully being loaded insecurely. In other words there’s one or more file that is loading with http rather than https because it’s hard coded to do that either in your theme or custom configuration.

To fix this you’ll need to use your browser’s web inspector tool to find the files not loading via https and adjust your website code to use either relative paths (ex: /myfile.php) or protocol agnostic URLs (ex: //websavers.ca/myfile.php rather than https://websavers.ca/myfile.php).

If you need a hand with any part of this process, ask an expert! Be sure to send us your domain, the type of SSL certificate you’re using and most importantly the step you’re having trouble with.

Jordan is a computer, security, and network systems expert and a lover of all things web and tech. Jordan consults with project management for software companies. Jordan is a founder and managing partner at Websavers Inc.

2 Comments

  1. Gabriele on March 10, 2014 at 9:40 am

    Hey, great article, very informative, however, just a few suggestions.

    1. There are a few different layout options to help organize Plesk, maybe a screen capture, or instructions to a particular layout would help illustrate where to click a bit better.

    2. If you already have an SSL certificate, but it’s expired, there is no “update” steps. You can update a certificate without deleting / re-creating it.

    3. If you are updating your certificate, make sure that in the apply section you include removing the SSL certificate from the Domain, and then re-applying it for the new certificate to be refreshed. I wasn’t able to get proper HTTPS verification from my Chrome browser until this step was completed.

    Just a few suggestions, great article, and service! Thanks for your help.



    • Jordan Schelew on March 10, 2014 at 4:11 pm

      Some responses to those suggestions:

      1. Yes indeed. One day when we have the time to do screen captures for all of these guides, we’ll get that done!
      2. I *think* there’s some very slim security problem with using the same CSR twice in a row, though it’s probably pretty unlikely to be an issue.
      3. Removing and adding a new one makes this type of problem not exist (it ensures it will always apply correctly) so I don’t think we should overcomplicate the instructions above (which are already pretty lengthy as is!) That said, it’s good to have here in the comments in case someone else decides to take that route on their own.

      Thanks for the ideas and comments!