Users of the Budget, Standard, Advanced and Corporate
packages can make their domains accessible via
installing a SSL certificate under
This guide is relevant to SSL certificates purchased from a commercial
certificate authorities (such as Thawte or GoDaddy), as well as
The alternative, free method (Let's Encrypt) is covered under: Setting up SSL/HTTPS with LetsEncrypt. Note: This guide does not apply to users of Let's Encrypt.
First, you need to generate a random RSA key in ~/ssl/key. The contents of this newly created file must remain private.
$ mkdir -m 0700 ~/ssl $ cd ~/ssl $ openssl genrsa -out key 2048
The following command will generate a standard
Certificate Signing Request ("CSR") which can be submitted to a
certification authority (or signed by yourself).
The protocol requires that the Common Name ("CN") match your
Server Name setting (configurable from the Parameters
section of the Control Panel or using
conf set name in csoftadm).
At this point, you might wish to submit your certficate for a Certificate Signing Request via a certification authority, such as Thawte or GoDaddy. Alternatively, you can publish a self-signed certificate using the command:
$ openssl x509 -req -days 365 -in csr -signkey key -out cert
The -days argument refers to the validity period. In this example, the certificate would expire one year from now.
conf set sslcommand in the Shell Interface.
It will take up to 30 minutes for the new certificate to be included in
the web server configuration. If there is a problem with the SSL
certificate, an error message will show up in
/var/log/users/yourname and the file cert will be
renamed to cert.rej.
Prior to the inclusion of your vhost in the SSL httpd configuration file, csoftadm performs a few verifications on the certificate and key. You can check certificates manually using the following commands:
# For RSA keys: $ openssl rsa -in key # For DSA keys: $ openssl dsa -in key # For keys which require a passphrase: $ openssl dsa -in key -passin file:pp # To read a X.509 certificate fingerprint: $ openssl x509 -in cert -fingerprint
The following command may be used to read the CN (Common Name) of the certificate. This value must match your main domain name exactly. Mismatch of the CN and the main domain is a common cause of failure.
# To read a X.509 certificate subject field: $ openssl x509 -in cert -subject