You ordered a certificate, the CA issued it, and now you have a few files and no clear idea where they go. Installing an SSL certificate is mostly a matter of putting the right file in the right place and pointing your server at it. This guide covers the three setups most people use: Apache, Nginx, and cPanel.

Before you start, you should have three things: your certificate file, the private key you generated with your CSR, and the intermediate (chain) certificate from the CA. Missing the chain is the single most common cause of "certificate not trusted" errors.

💡
Keep your private key privateThe private key never leaves your server and is never sent to the CA. If you lost it, you'll need to reissue the certificate with a new CSR. Anyone who has the key can impersonate your site.

Installing on Apache

Apache reads SSL settings from a virtual host block, usually in ssl.conf or your site's .conf file. Point it at the three files:

Apache · ssl.conf<VirtualHost *:443> ServerName example.com SSLEngine on SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key SSLCertificateChainFile /etc/ssl/certs/intermediate.crt </VirtualHost>

Then test the config and reload:

apachectl configtest systemctl reload apache2 # or: systemctl reload httpd

Installing on Nginx

Nginx wants a single combined file: your certificate followed by the intermediate chain, in that order. Concatenate them first:

cat example.com.crt intermediate.crt > fullchain.crt

Then reference it in your server block:

Nginx · server blockserver { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/fullchain.crt; ssl_certificate_key /etc/nginx/ssl/example.com.key; }
nginx -t systemctl reload nginx
🔒
Only TLS 1.2 and 1.3 are supportedThe old SSL protocols and TLS 1.0/1.1 are retired. On modern Apache and Nginx the defaults are already correct, but if you copied an old config, make sure it isn't forcing a deprecated protocol.

Installing on cPanel

cPanel hides the command line behind a UI, which makes it the easiest of the three:

  1. In cPanel, open Security → SSL/TLS.
  2. Click Manage SSL Sites under "Install and Manage SSL".
  3. Pick the domain, then paste the certificate, private key, and the CA bundle (chain) into their boxes.
  4. Click Install Certificate.

cPanel often fills the private key automatically if the CSR was generated there. The CA bundle field is the one people forget — paste the intermediate chain so browsers can build trust.

Verify the Install

Don't trust "it loaded once." After any install, confirm three things: the certificate matches the domain, the chain is complete, and the expiry date is right. The fastest way is to run the domain through an SSL checker, which flags a broken chain immediately — the failure mode you can't always see in a browser.

A certificate that loads in your browser can still be missing its chain for half the internet.

G
GetYourSSL Team
We translate the SSL/TLS world into plain English (and Turkish). Independent affiliate partners of SSL.com, focused on helping you pick the right certificate — not the most expensive one.