How to Install a Custom SSL Certificate in Plesk: Import, Assign & Auto-Renew (2026)

Priya

Content Writer & Researcher

Last Updated: 29 May 2026

How to Install a Custom SSL Certificate in Plesk: Import, Assign & Auto-Renew (2026)

🖥️

Need Help Installing a Custom SSL Certificate in Plesk?

Wrong intermediate chain, key mismatch, or mail server SSL errors — CloudHouse's Plesk team resolves SSL issues in under an hour. Contact us for fast, verified certificate installation.

🔧 Book Free Diagnosis Call Now WhatsApp

🖥️12,400+PCs Fixed

⭐4.9★Google Rating

⚡<15 minAvg. Response

🛡️ISO 27001Certified

While Let's Encrypt handles most SSL needs automatically in Plesk, many businesses require a custom SSL certificate — an EV (Extended Validation) certificate for their e-commerce store, a wildcard certificate purchased from DigiCert or Sectigo, or an internal CA certificate for a corporate intranet. This guide covers every method for installing a custom SSL certificate in Plesk: uploading via the UI, importing via CLI, assigning to domains, configuring auto-renewal, and fixing the most common certificate errors.

Types of SSL Certificates You Can Install in Plesk

Domain Validated (DV): Basic HTTPS encryption. Issued in minutes. Examples: Let's Encrypt, Sectigo DV, Comodo DV.
Organisation Validated (OV): Business identity verified. Shows company name in certificate details. Required by many enterprise clients.
Extended Validation (EV): Full legal entity verification. Previously showed green address bar in browsers — still signals highest trust level. Required by banks and payment processors.
Wildcard (*.domain.com): Covers the root domain and all first-level subdomains. One certificate for www, mail, shop, api, etc.
Multi-Domain / SAN: One certificate covering multiple distinct domains.
Internal/Private CA: Self-signed or internal CA certificates for intranet systems.

Step 1 — Obtain Your Certificate Files from Your CA

Before importing into Plesk, you need these files from your Certificate Authority:

Certificate file (domain.crt) — your domain's certificate
Private key file (domain.key) — generated when you created the CSR
CA Bundle / Intermediate certificates (ca-bundle.crt or chain.crt) — the trust chain from your CA

If your CA sent a single .pfx or .p12 file, extract the components first:

# Extract certificate from PFX
openssl pkcs12 -in certificate.pfx -nokeys -out domain.crt

# Extract private key from PFX
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out domain.key

# Extract CA chain from PFX
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-bundle.crt

💡 None of these worked? Skip the guesswork.

Get Expert Help →

Step 2 — Generate a CSR in Plesk (if not already done)

If you haven't yet purchased the certificate and need to generate a CSR to submit to your CA:

1Go to Plesk → Websites & Domains → [domain] → SSL/TLS Certificates

2Click "Add SSL/TLS Certificate"

3Fill in the certificate details — Common Name (your domain), Organisation, Country, etc.

4. Click "Request" — Plesk generates a private key (stored internally) and a CSR.

5. Copy the CSR and paste it into your CA's certificate request form.

Plesk stores the private key securely. When you receive your certificate back from the CA, you upload just the certificate and chain — the key is already matched.

Step 3 — Import the Custom Certificate into Plesk (GUI Method)

1. Navigate to the SSL/TLS Certificates screen

In Plesk, go to Websites & Domains → [domain] → SSL/TLS Certificates. Click Add SSL/TLS Certificate if creating new, or click the existing certificate name if you generated a CSR in Plesk and are uploading the returned certificate.

2Upload or paste certificate components

You have two options:

Upload files: Use the file upload buttons for Certificate (.crt), Private Key (.key), and CA Certificate (ca-bundle.crt).

Paste text: Click "Or enter certificate components as text" and paste the PEM content of each file into the respective text areas.

Ensure the CA certificate field contains the full chain — some CAs provide this as a single file, others provide multiple intermediate certificates that need to be concatenated:

# Concatenate multiple intermediate certificates into one CA bundle cat intermediate1.crt intermediate2.crt root.crt > ca-bundle.crt

3Click "Upload Certificate"

Plesk validates that the certificate matches the private key. If there is a mismatch you'll get an error — see the troubleshooting section below.

Step 4 — Import via Plesk CLI (Server-Level)

For server administrators who need to install certificates on multiple domains or automate the process:

# Import certificate using plesk bin certificate plesk bin certificate --create "My Custom Cert" -domain yourdomain.com -cert /path/to/domain.crt -key /path/to/domain.key -cacert /path/to/ca-bundle.crt # List all certificates for a domain plesk bin certificate --list -domain yourdomain.com # Assign a certificate to a domain plesk bin domain --update yourdomain.com -ssl_certificate "My Custom Cert"

Step 5 — Assign the Certificate to Your Domain and Mail

Uploading the certificate doesn't automatically activate it. You must assign it:

For websites (HTTPS):

Go to Websites & Domains → [domain] → Hosting Settings. Under Security, select your certificate from the SSL/TLS Certificate dropdown. Enable Permanent SEO-safe 301 redirect from HTTP to HTTPS. Click OK.

For Plesk mail server (IMAP/SMTP/POP3):

Go to Tools & Settings → SSL/TLS Certificates (server-level, not domain-level). Select the certificate you want to use for the mail server and click Secure Mail. This assigns your certificate to Dovecot (IMAP/POP3) and Postfix (SMTP).

For the Plesk control panel itself:

Go to Tools & Settings → SSL/TLS Certificates → select certificate → Secure Plesk. This changes the certificate used for the Plesk login page (https://server:8443).

Step 6 — Verify the Certificate Is Working

# Check certificate via OpenSSL from command line openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer # Verify certificate chain is complete openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null | grep -E "subject|issuer" # Quick browser test curl -vI https://yourdomain.com 2>&1 | grep -E "SSL|certificate|expire"

Also check the certificate details in your browser by clicking the padlock → Certificate → Details. Confirm the issuer, validity dates, and subject alternative names (SANs) match your expectations.

Troubleshooting Common Plesk SSL Errors

"Certificate and private key do not match": The .key file doesn't correspond to this certificate. Verify with: openssl x509 -noout -modulus -in domain.crt | md5sum and openssl rsa -noout -modulus -in domain.key | md5sum — the hashes must be identical.

"Certificate chain is incomplete": The CA bundle is missing an intermediate certificate. Download the full chain from your CA's support page and re-upload.

Browser shows certificate error after assignment: Clear Plesk's certificate cache: service nginx reload && service apache2 reload (or httpd on RHEL-based systems).

"Certificate has expired": Replace the certificate file. If purchased from a CA, download the renewed certificate from your CA account and follow Steps 3–5 again.

Mixed content warnings after enabling HTTPS: Update hardcoded HTTP URLs in your CMS. In WordPress, use a plugin like Better Search Replace to update the database. In Plesk, ensure the 301 redirect from HTTP to HTTPS is enabled.

Installing and managing SSL certificates across dozens of Plesk domains — especially keeping EV and OV certificates renewed on time — is a routine task that hosting operations teams handle daily. CloudHouse Technologies provides expert Plesk server management, including SSL certificate installation, chain verification, renewal automation, and 24/7 monitoring.

Get the Free Linux Server Admin Cheatsheet (PDF)

Essential commands for server management, networking, and troubleshooting — all on one printable page.

Running Linux servers? Let us manage them for you.

Our Managed Linux Server plans cover updates, security hardening, monitoring, and 24/7 incident response — so your servers stay up and your team stays focused.

Proactive OS patching and security updates
24×7 monitoring with instant alerting
Backup configuration and disaster recovery
Dedicated Linux engineers on call

See Pricing Plans →

What our customers say

“Our production server went down at 2 AM. CloudHouse had it back online in under 20 minutes. Incredible response time.”

Arun S.

CTO, SaaS Startup

“They migrated our entire infrastructure from Ubuntu 18 to 22 with zero downtime. Couldn't have asked for better.”

Deepak N.

DevOps Lead

Frequently Asked Questions

Go to Websites & Domains → [domain] → SSL/TLS Certificates → Add SSL/TLS Certificate. Upload your certificate file (.crt), private key (.key), and CA bundle/chain file (.crt). Click Upload Certificate. Then go to Hosting Settings for the domain and select the newly uploaded certificate from the SSL/TLS Certificate dropdown. Enable the HTTP-to-HTTPS redirect and click OK.

Book your free 15-minute diagnosis

A certified technician will call you back within 15 minutes during business hours.

Share this article

Comments (0)

Loading comments...