How to Install a Purchased SSL Certificate in cPanel
You bought an SSL certificate — maybe from Namecheap, GoDaddy, or Sectigo directly — because AutoSSL's free Let's Encrypt cert wasn't good enough for a client who wanted "the padlock with the company name" or a longer validity period. Now you're staring at cPanel's SSL/TLS Manager with a certificate file, a private key you're not sure you saved, and a CA bundle you don't remember downloading. This is where most manual SSL installs go wrong, and it's rarely the certificate itself that's broken.
Symptom: The Install "Works" but the Browser Doesn't Trust It
A few ways this shows up in a support ticket:
- cPanel accepts the certificate with no error, but the site still shows the old cert or a browser warning.
- You get
SSL_ERROR_NO_CYPHER_OVERLAPor a flat "certificate does not match the private key" message the moment you click Install. - The padlock shows up on desktop Chrome but fails on mobile or in Firefox — a classic sign of a missing intermediate certificate.
- The cert installs fine, then a day later AutoSSL quietly replaces it with a free one and the paid cert vanishes.
Cause: It's Almost Always One of Four Mismatches
1. The private key doesn't match the certificate
This happens when you generate a new CSR/key pair for the install but the CA issued the certificate against an older CSR — or when someone regenerates the key in cPanel after already submitting the CSR to the certificate authority. The certificate and key are a matched pair; if either changes after the CSR was submitted, the pairing breaks.
2. The CA bundle (intermediate certificate) is missing or wrong
Your purchased certificate almost never comes as a single trusted file. Certificate authorities chain up through one or two intermediate certificates before reaching a root that's actually in browsers' trust stores. Skip the CA bundle field in cPanel, or paste the wrong one, and some browsers/devices — usually older Android phones or Firefox — won't complete the chain, even though Chrome on your desktop looks fine because it caches intermediates more aggressively.
3. The CSR was generated for the wrong domain (or missing SANs)
If the CSR only listed yourdomain.com but you need the cert to cover www.yourdomain.com too, the CA issues exactly what you asked for — a certificate that's valid for one and invalid for the other. This is a CSR problem, not something you can fix after the fact in cPanel; the cert itself needs reissuing with both names as Subject Alternative Names (SANs).
4. AutoSSL is fighting your manual certificate
cPanel's AutoSSL runs on a schedule (usually every 90 days, but it checks daily) and will happily overwrite a manually installed certificate with a free Domain Validated one unless you tell it not to. If your paid cert disappeared without you touching anything, this is almost always why.
Fix: Install It in the Right Order
Step 1 — Generate the CSR and key together, and keep the key
If you haven't submitted a CSR to the CA yet, generate it in cPanel under SSL/TLS > Generate an SSL Certificate and Signing Request, or from the command line if you want more control over key size:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Save yourdomain.key somewhere safe immediately. It's the one file the CA never sees and never gives back to you — lose it and you have to reissue the whole certificate.
Step 2 — Submit the CSR and download everything the CA gives you
Most CAs hand back three things: the domain certificate, an intermediate (or two), and sometimes a root. Download the "full chain" or "CA bundle" file if the vendor offers one — it saves you from having to concatenate certificates by hand.
Step 3 — Verify the key and certificate actually match before installing
This one check catches 80% of install failures before you even open cPanel:
openssl x509 -noout -modulus -in yourdomain.crt | openssl md5
openssl rsa -noout -modulus -in yourdomain.key | openssl md5
If the two hashes don't match, you have the wrong key for that certificate — go find the key you used for that specific CSR, or reissue.
Step 4 — Install through cPanel's SSL/TLS Manager
Go to cPanel > Security > SSL/TLS > Manage SSL sites (in WHM it's SSL/TLS > Manage SSL Sites if you're installing for a reseller or client account). Select the domain, then paste:
- Certificate: the domain cert the CA issued you.
- Private Key: the key from Step 1 — cPanel will often auto-fill this if it's already stored on the server.
- Certificate Authority Bundle: the intermediate(s), not the domain cert again. This field is the one people leave blank.
cPanel will tell you if the key and cert don't match before you even submit, which is a good final check on top of Step 3.
Step 5 — Stop AutoSSL from overwriting it
To keep AutoSSL from silently replacing your paid certificate:
- In WHM > Manage AutoSSL, exclude the specific domain, or
- In cPanel > SSL/TLS, disable AutoSSL for that user if the whole account uses a paid cert, or
- At minimum, note the renewal date somewhere you'll actually see it — a paid cert quietly expiring is worse than AutoSSL replacing it, since AutoSSL at least keeps a valid cert live.
Step 6 — Confirm the full chain from outside your own browser
Your browser may have cached an intermediate certificate from another site, masking a broken chain. Check from the command line instead:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts
Look for Verify return code: 0 (ok) at the bottom. Anything else — especially unable to get local issuer certificate — means the CA bundle is still missing or incomplete.
Prevention: Treat the Private Key Like a Password
| Do | Don't |
|---|---|
| Back up the private key the moment it's generated | Regenerate a new key/CSR pair after the CA has already issued the cert |
| Include every hostname (www and non-www) as a SAN in the CSR | Assume the CA will "just know" you need both |
| Exclude the domain from AutoSSL if you're keeping a paid cert | Install a paid cert and forget AutoSSL is still scheduled to run |
| Set a calendar reminder 2-3 weeks before expiry | Rely on the CA's renewal email landing in the right inbox |
Manual SSL installs feel more complicated than they are because every step depends on the previous one using the exact same key pair. Get the CSR and key right at the start, keep the CA bundle in its own field, and the rest of the install is closer to filling out a form than debugging a server.
Frequently asked questions
Do I need a CSR if I already have a private key?
Yes. A CSR is generated from your domain details and is tied to a specific private key, so even if you already have a key on the server, you still need to create a CSR from it (or generate a new key/CSR pair together) before a certificate authority can issue the certificate.
What's the difference between the Certificate and the CA Bundle fields in cPanel?
The Certificate field holds only your domain's certificate. The CA Bundle field holds the intermediate certificate(s) that link your certificate up to a root trusted by browsers. Leaving the CA Bundle blank is the most common reason a cert works in one browser but shows a trust error in another.
Why did my paid SSL certificate disappear after a few days?
AutoSSL runs on a schedule and will overwrite a manually installed certificate with a free Domain Validated one unless you exclude that domain from AutoSSL in WHM, or disable AutoSSL for the account.
I lost the private key for my certificate. Can I recover it?
No, the private key is never sent to or stored by the certificate authority. If it's gone, you'll need to generate a new key and CSR, then have the CA reissue the certificate against the new CSR.