An SSL certificate does two things: it encrypts the connection between your visitor's browser and your server, and it tells their browser (and Google) that your site is legitimate. Without one, browsers display a "Not Secure" warning in the address bar - which is essentially a sign on your door telling customers to leave.
cPanel makes SSL management relatively painless, but there are enough moving parts that it helps to understand what you are working with.
Finding the SSL/TLS Manager
Log into cPanel and look for the SSL/TLS icon, usually in the Security section. Inside, you will find a few key areas:
- Private Keys - the cryptographic keys associated with your certificates
- Certificate Signing Requests (CSRs) - used when applying for a paid certificate
- Certificates - where installed certificates live
- Install and Manage SSL for your site (HTTPS) - this is where you actually activate HTTPS for a domain
For most users, the most important section is the last one.
How AutoSSL Works
AutoSSL is cPanel's built-in system for automatically issuing and renewing free SSL certificates via Let's Encrypt (or cPanel's own certificate authority, Sectigo, depending on your host's configuration).
When AutoSSL is enabled (which it is by default on most cPanel hosts including dotCanada), it runs on a regular schedule - typically daily - and automatically issues certificates for any domains and subdomains on your account that do not already have a valid certificate. It also renews certificates before they expire (Let's Encrypt certificates are valid for 90 days and AutoSSL renews them at around 60 days).
To check AutoSSL status, go to Security > SSL/TLS Status in cPanel. You will see a list of all your domains with a green checkmark (secured), a warning icon (expiring soon), or a red X (problem). You can also run AutoSSL manually from this screen using the "Run AutoSSL" button.
Installing a Purchased (Paid) Certificate
AutoSSL's free certificates are valid for most use cases. However, some businesses need an extended validation (EV) certificate that shows the company name in the address bar, or an OV (organisation validated) certificate for compliance reasons.
When you purchase a certificate from a certificate authority (CA), you will receive three things: the certificate itself, a private key, and a CA bundle (the intermediate certificates that establish trust).
To install it in cPanel:
- Go to SSL/TLS > Install and Manage SSL for your site (HTTPS)
- Select the domain from the dropdown
- Paste the certificate text into the Certificate (CRT) field
- Paste the private key into the Private Key field
- Paste the CA bundle into the Certificate Authority Bundle field
- Click Install Certificate
If cPanel cannot auto-fill the private key, go to SSL/TLS > Private Keys and check whether a matching key was already generated there (it will be labelled with a matching domain or creation date).
Checking Certificate Expiry Dates
Never let a certificate expire unexpectedly. An expired SSL certificate throws a security error in every browser - worse than having no certificate at all.
In cPanel, go to SSL/TLS Status for a quick overview of all certificates and their expiry dates. You can also check any public-facing domain using a tool like SSL Checker (ssllabs.com/ssltest/) or simply clicking the padlock icon in your browser.
Set a calendar reminder 30 days before expiry for any manually managed certificates.
When AutoSSL Renewal Fails
AutoSSL failures are usually caused by one of a handful of issues.
DNS is pointing elsewhere. AutoSSL verifies domain ownership by placing a file on your server. If your domain DNS does not point to the server running cPanel, the verification fails. Check that your domain's A record points to your hosting account's IP address.
CAA records blocking issuance. If your DNS has CAA (Certification Authority Authorization) records that restrict which CAs can issue certificates, and they do not include Let's Encrypt or Sectigo, AutoSSL will fail. Either update the CAA records or remove them.
Domain is not resolving publicly. Domains parked, redirected, or not yet propagated will fail AutoSSL checks. Make sure the domain is live and resolving before expecting AutoSSL to work.
Too many failed attempts. Let's Encrypt rate-limits failed attempts. If you have tried and failed multiple times quickly, you may need to wait an hour before trying again.
For persistent failures, the AutoSSL log in cPanel (under Logs > AutoSSL Log) contains detailed error messages that point to the specific cause.
All dotCanada hosting plans include AutoSSL with free Let's Encrypt certificates for every domain on your account, automatically renewed so you never see an expiry warning.
