The SSL Installation and Precedence Logic
This document outlines how cPanel & WHM processes Secure Sockets Layer (SSL) certificate requests and how Apache processes SSL requests.
This document refers to other services’ domain-indexed SSL storage as Domain TLS.
Name-based and virtual host match
Most SSL-enabled services that cPanel, Inc. deploys support simple name-based SSL. When a client requests an SSL certificate for a specific domain, the service performs one of the following actions:
- If the certificate exists, the service responds with a certificate that matches the requested domain.
- If no certificate exists, the the system uses the service’s default SSL certificate.
Apache SSL certificates
Apache does not follow this logic. When a client requests an SSL certificate for a specific domain’s SSL certificate, Apache performs the following actions:
- It establishes the virtual host that hosts the domain.
- It responds with the certificate for that virtual host.
Apache cannot match a certificate directly with a domain, and offers the virtual host’s certificate even if the certificate does not match the domain. Apache serves the same certificate for any request that matches a given virtual host. Because of this limitation, Apache’s domain-indexed SSL storage differs from that of the other services.
For simplicity, cPanel & WHM only exposes a single set of API functions to install and remove SSL certificates. When a user or administrator installs an SSL certificate, that installation only applies to a specific Apache virtual host. This behavior impacts both Apache and services that support name-based SSL. After the Apache installation finishes, the system copies the certificate to Domain TLS for each domain on the virtual host that matches the certificate.
- The system only copies the certificate to Domain TLS if the certificate passes OpenSSL’s validity check. This check occurs daily.
- In cPanel & WHM version 66 and later, the system removes certificates from Domain TLS if they fail validation or are set to expire within one day.
- Certificate removal follows the same pattern. The system removes Domain TLS entries for all domains on the virtual host that match the certificate.
If your SSL certificate and key did not pair correctly, Apache cannot start with SSL enabled. To check whether they paired correctly, run the following commands, where
filename represents the certificate name:
If the modulus number and exponent that each file returns match, the certificate and key paired correctly.
Service-default SSL certificates
Non-Apache services use default SSL certificates that administrators can manage via WHM. These services only serve the default SSL certificate to the client if no certificate in Domain TLS matches the client’s requested domain.
FTP is the only service that does not support name-based SSL.
In cPanel & WHM version 66 and later, when the administrator installs a service-default SSL certificate, the system compares this certificate with the contents of Domain TLS. For each domain on the default certificate, the system installs that new certificate to Domain TLS. The system only performs this action if an SSL certificate with higher-grade identity assurance does not already exist on Domain TLS. This ensures that the system serves the highest-grade SSL certificate for each request for every non-Apache service.