How to Install and Renew SSL Certificates (Step-by-Step Guide)

Installing and renewing SSL certificates involves choosing the right certificate, validating domain ownership, installing it on your web server or control panel (cPanel/Plesk), and forcing HTTPS. For renewal, automate with Let’s Encrypt (Certbot) or reissue commercial certificates before expiry. Testing with SSL Labs and fixing mixed content ensures a secure, padlock-enabled site.

If you’re wondering how to install and renew SSL certificates without headaches, this step-by-step guide is for you. We’ll cover cPanel, Plesk, Apache, Nginx, Cloudflare, and both free (Let’s Encrypt) and commercial options. Written from 12+ years of hosting and server experience, it’s beginner-friendly and optimized for a smooth, secure HTTPS launch.

What is an SSL Certificate and Why It Matters

An SSL/TLS certificate encrypts data between a browser and your server, turning HTTP into HTTPS. It protects logins, payments, and personal data, improves trust with the padlock, and is a confirmed Google ranking factor. Without SSL, modern browsers label your site “Not Secure,” hurting conversions, SEO, and brand credibility.

Types of SSL Certificates (Choose the Right One)

Understanding certificate types helps you install the correct solution for your use case:

• DV (Domain Validation): Fast, automated, verifies domain control. Perfect for blogs, portfolios, landing pages. Examples: Let’s Encrypt, ZeroSSL.
• OV (Organization Validation): Verifies the business. Good for company sites that want higher trust.
• EV (Extended Validation): Most rigorous vetting. Best for finance, healthcare, and enterprises with risk-sensitive transactions.
• Wildcard: Secures a domain and all first-level subdomains (e.g., *.example.com).
• SAN/Multidomain: Secures multiple domains or subdomains under one certificate.

Tip: Most websites can start with DV (e.g., Let’s Encrypt). Choose OV/EV when compliance or brand assurance is required. Wildcard is ideal when you manage many subdomains.

Prerequisites Before You Install SSL

• Domain points to your server (A/AAAA records live, DNS propagated).
• Access to hosting control panel (cPanel, Plesk) or server shell (SSH root/sudo).
• Ports 80 (HTTP) and 443 (HTTPS) open in firewall/security group.
• Server time and hostname correct (ACME challenges can fail otherwise).
• Admin access to your CMS (e.g., WordPress) to update URLs and force HTTPS.

Install SSL in Control Panels (Fastest Way)

cPanel: AutoSSL or Let’s Encrypt

• Log in to cPanel > SSL/TLS Status or Let’s Encrypt.
• Select your domain(s) and click “Run AutoSSL” or “Issue.”
• Wait for validation (HTTP-01). The certificate will install automatically.
• In Domains > Redirects, or your CMS settings, force HTTPS.

AutoSSL typically renews automatically every ~60–90 days.

Plesk: Let’s Encrypt Extension

• Domains > Select domain > Let’s Encrypt.
• Choose domain, www, and optional wildcard (DNS challenge required for wildcard).
• Issue the certificate and enable “Keep secure” to auto-renew.

Cloudflare: Universal SSL and Full (Strict)

• Enable “Universal SSL” in Cloudflare SSL/TLS settings.
• Set SSL mode to “Full (Strict)” for end-to-end encryption.
• Install a valid certificate on your origin (use Let’s Encrypt or a Cloudflare Origin Certificate).
• Use Page Rules or your server config to force HTTPS.

Note: Avoid “Flexible” mode; it encrypts browser-to-Cloudflare only, leaving origin traffic unencrypted.

YouStable Hosting: One-Click Free SSL

All YouStable shared and managed hosting plans include free Let’s Encrypt SSL with automatic installation and renewal. If you host with YouStable, simply point DNS, and our platform handles issuance, renewal, and HTTPS redirection—no command line required.

Install SSL on Linux Servers (Apache & Nginx)

For full control or VPS/dedicated servers, Let’s Encrypt + Certbot is the fastest path. Below are proven commands used in production environments.

Ubuntu/Debian + Apache (Let’s Encrypt Certbot)

sudo apt update
sudo apt install -y certbot python3-certbot-apache
sudo certbot --apache -d example.com -d www.example.com
# Follow prompts, choose redirect to force HTTPS
# Test auto-renewal
sudo certbot renew --dry-run

Ubuntu/Debian + Nginx (Let’s Encrypt Certbot)

sudo apt update
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
# Choose redirect, then:
sudo certbot renew --dry-run

Certbot installs a systemd timer to auto-renew and reload services. Keep port 80 open; ACME HTTP-01 uses it for validation.

CentOS/RHEL + Apache or Nginx (EPEL + Snapd Method)

sudo yum install -y epel-release
sudo yum install -y snapd
sudo systemctl enable --now snapd.socket
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
# Apache:
sudo certbot --apache -d example.com -d www.example.com
# Nginx:
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot renew --dry-run

Manual CSR and Commercial SSL (OV/EV/Wildcard)

• Generate a private key and CSR.
• Submit the CSR to your Certificate Authority (CA) and complete validation.
• Install the issued certificate and CA bundle.

# Generate a 2048-bit private key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout example.com.key -out example.com.csr
# After CA issues certs, for Apache:
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt

Place files in secure directories with least-privilege permissions. Restart/reload your web server after changes.

Force HTTPS and Validate

Apache (.htaccess) 301 Redirect

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

Nginx Server Block Redirect

server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;
}

Test with SSL Labs (Qualys) for grade A or A+. Fix mixed content by updating hardcoded http links in your CMS, templates, and CDN settings.

Renew SSL Certificates (Automation Recommended)

Let’s Encrypt/Certbot Auto-Renew

• Certbot installs a systemd timer/cron that checks twice daily.
• Certificates renew ~30 days before expiry if validation passes.
• Confirm with a dry run: sudo certbot renew –dry-run.

cPanel/Plesk Auto-Renew

• cPanel AutoSSL and Plesk Let’s Encrypt renew automatically when DNS and ports are correct.
• Ensure domains resolve to the server and the validation folder is not blocked by firewalls or redirects.

Commercial SSL Renewal

• Start 30 days before expiry.
• Generate a new CSR (best practice) and revalidate domain/org.
• Install the new certificate and chain. Restart web services.

On YouStable, free SSL renewals are automatic. For paid OV/EV, our support can help you reissue and install with minimal downtime.

Troubleshooting Common SSL Errors

• Mixed content: Update site URL to https, run a search-replace in your database, and ensure assets (images, CSS, JS) load via https.
• Invalid chain/Intermediate missing: Install the CA bundle. For Apache, use SSLCertificateChainFile or include fullchain.pem.
• Domain not pointing or validation failing: Check DNS A/AAAA records and propagation. Keep port 80 open for HTTP-01.
• Wrong vhost catching requests: Ensure the correct server_name in Nginx and ServerName/ServerAlias in Apache, and that HTTPS vhosts are defined.
• Expired certificate after renewal: Your server may still serve an old file; reload services (systemctl reload nginx/apache2) and verify the path points to the renewed certificate.
• HSTS lockout: If you enable HSTS, ensure a valid certificate is always present. Test on a short max-age before moving to preload.

Security and Performance Best Practices

• Use 2048-bit RSA (or ECDSA P-256) and SHA-256 signatures.
• Enable OCSP Stapling to speed up revocation checks.
• Keep OpenSSL, web server, and Certbot updated.
• Restrict private key permissions (e.g., 600) and store keys outside web roots.
• Consider HSTS after stable HTTPS deployment: start with low max-age, then increase carefully.
• Redirect all variations (www/non-www) consistently to a single canonical https URL.

Real-World Scenarios

• Small business WordPress site: Use cPanel AutoSSL or Plesk Let’s Encrypt. Enable HTTPS redirect and fix mixed content with a plugin or database search-replace.
• SaaS on Nginx: Use Certbot with DNS-01 for wildcard, automate renewals, and deploy via CI/CD with zero-downtime reloads.
• Enterprise finance site: Deploy EV certs on a load balancer. Use HSTS, OCSP stapling, modern ciphers, and continuous monitoring.

FAQs

Conclusion

Installing and renewing SSL certificates is straightforward when you follow a checklist: pick the right type, validate, install, force HTTPS, and automate renewal. For most sites, Let’s Encrypt + Certbot or cPanel AutoSSL is perfect. Prefer a zero-effort path? Host with YouStable and get free SSL with automatic renewals, expert support, and hardened security by default.