Home › Blog › How to Install an SSL Certificate on Apache, Nginx, and cPanel
SSL Management
How to Install an SSL Certificate on Apache, Nginx, and cPanel
You have the files but not the map. Here's exactly where the certificate, key, and chain go on the three server setups most people run.
GetYourSSL Team7 min readSSL Management
Disclosure: GetYourSSL is an affiliate partner of SSL.com. If you buy a certificate through our links, we may earn a commission at no extra cost to you. We only point you to what fits.
You ordered a certificate, the CA issued it, and now you have a few files and no clear idea where they go. Installing an SSL certificate is mostly a matter of putting the right file in the right place and pointing your server at it. This guide covers the three setups most people use: Apache, Nginx, and cPanel.
Before you start, you should have three things: your certificate file, the private key you generated with your CSR, and the intermediate (chain) certificate from the CA. Missing the chain is the single most common cause of "certificate not trusted" errors.
💡
Keep your private key privateThe private key never leaves your server and is never sent to the CA. If you lost it, you'll need to reissue the certificate with a new CSR. Anyone who has the key can impersonate your site.
Installing on Apache
Apache reads SSL settings from a virtual host block, usually in ssl.conf or your site's .conf file. Point it at the three files:
Only TLS 1.2 and 1.3 are supportedThe old SSL protocols and TLS 1.0/1.1 are retired. On modern Apache and Nginx the defaults are already correct, but if you copied an old config, make sure it isn't forcing a deprecated protocol.
Installing on cPanel
cPanel hides the command line behind a UI, which makes it the easiest of the three:
In cPanel, open Security → SSL/TLS.
Click Manage SSL Sites under "Install and Manage SSL".
Pick the domain, then paste the certificate, private key, and the CA bundle (chain) into their boxes.
Click Install Certificate.
cPanel often fills the private key automatically if the CSR was generated there. The CA bundle field is the one people forget — paste the intermediate chain so browsers can build trust.
Verify the Install
Don't trust "it loaded once." After any install, confirm three things: the certificate matches the domain, the chain is complete, and the expiry date is right. The fastest way is to run the domain through an SSL checker, which flags a broken chain immediately — the failure mode you can't always see in a browser.
A certificate that loads in your browser can still be missing its chain for half the internet.
G
GetYourSSL Team
We translate the SSL/TLS world into plain English (and Turkish). Independent affiliate partners of SSL.com, focused on helping you pick the right certificate — not the most expensive one.