How to Install an SSL Certificate and Force HTTPS

Introduction

SSL (Secure Sockets Layer) certificates encrypt the connection between your website and visitors, protecting sensitive data and improving trust. Modern browsers mark sites without SSL as "Not Secure," making SSL essential for all websites. This guide covers how to install SSL certificates and configure your site to use HTTPS.

Why SSL is Important

Security Benefits

• Encrypts data transmission (passwords, credit cards, personal info)
• Protects against man-in-the-middle attacks
• Prevents data tampering and eavesdropping
• Required for PCI compliance (e-commerce)

SEO and Trust Benefits

• Google ranking boost for HTTPS sites
• Browser trust indicators (padlock icon)
• Removes "Not Secure" warning
• Increases visitor confidence and conversions
• Required for modern web features (PWA, HTTP/2, etc.)

Types of SSL Certificates

Free SSL (Let's Encrypt) - Recommended for Most Sites

• Cost: Free
• Validation: Domain validation (DV)
• Coverage: Single domain or wildcard (*.yourdomain.com)
• Renewal: Automatic every 90 days
• Best for: Blogs, small business sites, personal sites

Paid SSL Certificates

Domain Validated (DV)

• Cost: $10-50/year
• Validation time: Minutes
• Best for: Basic websites, blogs

Organization Validated (OV)

• Cost: $50-150/year
• Validation: Verifies business legitimacy
• Validation time: 1-3 days
• Best for: Business websites, organizations

Extended Validation (EV)

• Cost: $150-500+/year
• Validation: Rigorous company verification
• Visual indicator: Company name in address bar (some browsers)
• Best for: E-commerce, banks, high-security sites

Wildcard SSL

• Coverage: Unlimited subdomains (*.yourdomain.com)
• Cost: $50-300+/year (or free with Let's Encrypt)
• Best for: Sites with many subdomains

Installing Free SSL (Let's Encrypt) in cPanel

Prerequisites

• Domain must be pointed to your server (A record configured)
• Domain must be accessible via HTTP (port 80)
• Domain must be added to your cPanel account

Step-by-Step Installation

Step 1: Access SSL/TLS Status

1. Log into cPanel
2. Navigate to "Security" section
3. Click "SSL/TLS Status"

Step 2: Install SSL

1. You'll see a list of domains/subdomains on your account
2. Find domains that show "Not Secure" or no certificate
3. Check the box next to the domain(s) you want to secure
4. Click "Run AutoSSL"
5. Wait for the process to complete (usually 30-60 seconds)
6. Status should change to "AutoSSL certificate installed" with a valid until date

Alternative: SSL/TLS Manager

1. Go to cPanel > Security > SSL/TLS
2. Click "Manage SSL Sites"
3. Select your domain from the dropdown
4. If AutoSSL is enabled, certificate should already be installed
5. If not, you can manually paste certificate, private key, and CA bundle

Installing a Paid/Custom SSL Certificate

Step 1: Generate CSR (Certificate Signing Request)

1. Log into cPanel
2. Navigate to Security > SSL/TLS
3. Click "Generate, view, or delete SSL certificate signing requests"
4. Fill in the form:
   • Domains: yourdomain.com
   • City, State, Country: Your business location
   • Company Name: Your legal business name
   • Company Division: IT or Web Administration
   • Email: Your admin email
5. Click "Generate"
6. Copy the generated CSR (long text block)

Step 2: Purchase SSL Certificate

1. Visit SSL provider (Comodo, DigiCert, Sectigo, etc.) or purchase through our client area
2. Select certificate type and term
3. Paste your CSR during checkout
4. Complete domain validation:
   • Email validation (verify via email sent to admin@yourdomain.com)
   • DNS validation (add TXT record)
   • HTTP validation (upload verification file)
5. Wait for certificate issuance (minutes to days, depending on type)

Step 3: Install SSL Certificate

1. Download certificate files from SSL provider (usually a ZIP file)
2. Extract and locate:
   • Certificate (.crt or .pem file)
   • Private Key (should already be in cPanel from CSR generation)
   • CA Bundle / Intermediate Certificate (.ca-bundle or chain file)
3. Log into cPanel > Security > SSL/TLS
4. Click "Manage SSL Sites"
5. Select your domain
6. Paste certificate content into "Certificate (CRT)" field
7. Paste CA bundle into "Certificate Authority Bundle (CABUNDLE)" field
8. Private key should auto-fill (if not, paste it from when you generated CSR)
9. Click "Install Certificate"

Forcing HTTPS (Redirect HTTP to HTTPS)

Why Force HTTPS?

• Ensures all visitors use encrypted connection
• Prevents mixed content warnings
• Improves SEO (Google prefers HTTPS)
• Avoids duplicate content issues

Method 1: Using cPanel (Easiest)

1. Log into cPanel
2. Navigate to Domains > Domains
3. Find your domain and click "Manage"
4. Scroll to "Force HTTPS Redirect" or "HTTPS" section
5. Toggle "Force HTTPS Redirect" to ON
6. Save changes

Method 2: Editing .htaccess (More Control)

Accessing .htaccess

1. Log into cPanel
2. Open File Manager
3. Navigate to public_html (or your domain's document root)
4. Click "Settings" (top right) and enable "Show Hidden Files"
5. Find and edit .htaccess file (create if doesn't exist)

Add Redirect Code

Add this code to the TOP of your .htaccess file:

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Alternative (with www redirect):

# Force HTTPS and WWW
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} !^www. [NC]
RewriteRule ^(.*)$ https://www.yourdomain.com/$1 [L,R=301]

Force HTTPS without WWW:

# Force HTTPS without WWW
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www. [NC]
RewriteRule ^(.*)$ https://yourdomain.com/$1 [L,R=301]

Method 3: WordPress Plugin (For WordPress Sites)

1. Install "Really Simple SSL" plugin from WordPress dashboard
2. Activate the plugin
3. Click "Activate SSL" when prompted
4. Plugin automatically configures redirects and fixes mixed content

Fixing Mixed Content Warnings

What is Mixed Content?

Mixed content occurs when HTTPS page loads resources (images, scripts, CSS) over HTTP, causing security warnings.

Finding Mixed Content

1. Open your website in Chrome
2. Press F12 to open Developer Tools
3. Click "Console" tab
4. Look for "Mixed Content" warnings showing HTTP resources

Fixing Mixed Content

Option 1: Update URLs in Code

Change all URLs from http:// to https:// or use protocol-relative URLs //

Before:

<img src="http://yourdomain.com/image.jpg">

After:

<img src="https://yourdomain.com/image.jpg">
or
<img src="//yourdomain.com/image.jpg">

Option 2: WordPress Database Search & Replace

1. Backup your database first!
2. Use plugin: "Better Search Replace" or "WP Migrate DB"
3. Search for: http://yourdomain.com
4. Replace with: https://yourdomain.com
5. Run on all tables

Option 3: .htaccess Header

Add to .htaccess to automatically upgrade insecure requests:

Header always set Content-Security-Policy "upgrade-insecure-requests"

Verifying SSL Installation

Visual Check

• Visit https://yourdomain.com in browser
• Look for padlock icon in address bar
• Click padlock to view certificate details
• Ensure it shows "Connection is secure"

SSL Testing Tools

• SSL Labs Server Test - Comprehensive SSL testing (aim for A or A+ rating)
• Why No Padlock - Identifies mixed content issues
• GeoCerts SSL Checker - Verify installation and chain

Troubleshooting SSL Issues

"Not Secure" Warning Still Appears

• Clear browser cache and try incognito/private mode
• Check SSL certificate is actually installed (visit https://yourdomain.com)
• Verify certificate covers your domain (not expired or wrong domain)
• Check for mixed content issues

Certificate Mismatch Error

• Ensure certificate is issued for correct domain
• If using www, ensure certificate covers both www and non-www
• Check certificate hasn't expired
• Reinstall certificate if necessary

AutoSSL Failing to Install

• Verify domain points to your server (A record correct)
• Ensure domain is accessible via HTTP (port 80 open)
• Check no firewall or security software blocking Let's Encrypt
• Verify domain is added to cPanel
• Check cPanel error logs for specific error messages

Redirect Loop After Forcing HTTPS

• Check .htaccess for conflicting redirect rules
• Disable "Force HTTPS" in cPanel if using .htaccess method
• For WordPress: Check Settings > General - ensure WordPress URL and Site URL both use HTTPS
• Clear browser cache and cookies

Some Pages Work, Others Don't

• Check for hardcoded HTTP links in those pages
• Verify all resources (images, CSS, JS) load over HTTPS
• Review page-specific redirects or rules

Best Practices

Security

• Enable HSTS (HTTP Strict Transport Security) after verifying HTTPS works
• Keep certificates renewed (AutoSSL does this automatically)
• Use modern TLS protocols (TLS 1.2 or 1.3), disable old SSL versions
• Monitor certificate expiration dates

Performance

• Enable HTTP/2 in cPanel (requires HTTPS)
• Consider using CDN with SSL support
• Optimize images and assets

SEO

• Update Google Search Console with HTTPS version
• Update sitemaps to use HTTPS URLs
• Update canonical tags to HTTPS
• Update any hardcoded links in content

Certificate Renewal

Let's Encrypt (AutoSSL)

• Automatically renews every 60 days (certificates valid for 90 days)
• No action required from you
• Check SSL/TLS Status periodically to verify renewal

Paid SSL Certificates

• Must manually renew before expiration
• Renewal process similar to initial purchase
• Set calendar reminders 30 days before expiration
• Some providers offer auto-renewal

Need Help?

If you're experiencing SSL issues or need assistance with installation, please contact our support team with:

• Your domain name
• Type of SSL certificate (Let's Encrypt, paid, specific provider)
• Exact error messages or browser warnings
• Screenshots of the issue
• SSL test results (from SSL Labs if available)