cPanel lets you generate a self-signed SSL certificate entirely within the control panel, without purchasing a certificate or waiting for CA verification. Before going through that process, it is worth knowing that most cPanel hosting accounts come with AutoSSL, which automatically issues and renews free trusted certificates for your domains using Let’s Encrypt. If your domain is pointing to the cPanel server, AutoSSL is almost always the better choice.
Self-signed certificates have specific legitimate uses on cPanel that AutoSSL cannot cover: testing a site before pointing the domain to the server, securing internal-use staging domains not on the public internet, or temporarily covering a domain while waiting for a purchased certificate to be issued. For a live public website receiving real visitors, a self-signed certificate is the wrong choice because every browser will display a security warning that cannot be suppressed.
This guide covers the complete self-signed certificate process in cPanel, explains when it is and is not appropriate, and addresses the questions that come up after the certificate is installed.
When to Use a Self-Signed Certificate in cPanel
| Situation | Self-signed appropriate? | Better option if available |
| Previewing a new site before DNS is pointed to the server | Yes. AutoSSL cannot issue for a domain not yet pointing to the server. | Get AutoSSL running after DNS propagation |
| Testing HTTPS functionality during development on a staging domain | Yes, if the staging domain is not publicly accessible. | Let’s Encrypt certificate via AutoSSL if the staging domain is publicly reachable |
| Internal domain used only within your organization (not public internet) | Yes. No public trust is needed. | Private CA certificate if you have PKI infrastructure |
| Live public website with real visitors | No. Every browser shows a warning. | AutoSSL (free, automatic) or purchased certificate |
| E-commerce site handling payments | No. PCI DSS requires publicly trusted certificates. | Publicly trusted certificate from any CA |
| Temporary placeholder while waiting for a purchased certificate | Acceptable as a stop-gap. Remove when the real certificate arrives. | The purchased certificate once issued |
A self-signed certificate on a live public website is not a security-neutral choice. Every visitor will see a browser warning: ‘Your connection is not private’ or ‘This site is not secure.’ Most visitors will leave. Those who proceed past the warning receive no identity verification guarantee. Search engines may treat HTTPS certificate errors as a negative signal. For any production site with real visitors, use AutoSSL or a purchased certificate.
The Alternative: Using AutoSSL for Free Trusted Certificates
cPanel’s AutoSSL automatically obtains and renews Let’s Encrypt certificates for all domains on your hosting account that point to the server. The process is fully automated: cPanel checks regularly, issues certificates before they expire, and installs them without any action from you.
To check AutoSSL status and trigger it manually if needed:
- Log into cPanel
- In the Security section, click SSL/TLS Status
- You will see a list of all domains on your account and their certificate status
- Domains showing a yellow or red status have either no certificate or an expiring one
- Click Run AutoSSL to trigger immediate certificate issuance for eligible domains
- A domain is eligible if its DNS is pointing to this cPanel server. AutoSSL validates domain control through HTTP, which requires the domain to resolve to this server.
AutoSSL only works for domains that resolve to the cPanel server’s IP address. If the domain’s DNS is pointing elsewhere (a CDN, another server, or has not been updated yet), AutoSSL cannot complete the HTTP domain validation and will not issue a certificate. This is the primary reason to use a self-signed certificate in cPanel: to have HTTPS active before DNS is pointed.
How to Create a Self-Signed SSL Certificate in cPanel: Step by Step
Creating a self-signed certificate in cPanel involves three sequential steps: generating a private key, generating the certificate using that key, and installing the certificate on the domain.
Part 1: Generate the private key
- Log into cPanel
- In the Security section, click SSL/TLS
- Under Private Keys (KEY), click Generate, view, upload, or delete your private keys
- Under Generate a New Private Key, confirm the Key Type is set to RSA and the bit length is 2048. RSA 2048-bit is compatible with all current browsers and applications. You can choose 4096-bit for stronger security at the cost of slightly slower handshakes, but 2048-bit is sufficient for a self-signed test certificate.
- In the Description field, type a recognizable name. Use something descriptive like the domain name or purpose: dev-mysite-2026 or staging-myapp.
- Click Generate
- cPanel generates and displays the private key in PEM format. The key is also stored in your cPanel account automatically. Click Return to SSL/TLS.
Copy and save the private key immediately after generation if you need it outside of cPanel. Once you navigate away, you can retrieve it again from the Private Keys list, but if you ever need to install the same certificate on a different server or tool, you will need both the key and the certificate together.
Part 2: Generate the self-signed certificate
- On the SSL/TLS page, under Certificates (CRT), click Generate, view, upload, or delete SSL certificates
- Under Generate a New Certificate, in the Key dropdown, select the private key you just generated. It will be listed by the description you provided.
- In the Domains field, enter the domain you want to secure. Use the full domain name as it will be accessed: yourdomain.com or subdomain.yourdomain.com. Do not include https:// or trailing slashes.
- Fill in the remaining fields. For a self-signed test certificate these fields do not affect trust (no CA verifies them) but they are embedded in the certificate and visible in certificate details:
- City: Your city name or a placeholder
- State: Full state or province name (not abbreviation)
- Country: Two-letter ISO country code (US, GB, DE, AU, etc.)
- Company: Your organization name or a placeholder
- Company Division: Department or leave blank
- Email: An email address or leave blank for a test certificate
- In the Validity Period dropdown, select the duration. For a test or development certificate, 365 days is standard. Note that modern browsers flag certificates with validity over 398 days, so do not select the maximum if that matters for your testing scenario.
- Click Generate. cPanel generates the self-signed certificate and displays it in PEM format.
- Click Return to SSL/TLS.
The organization name, city, state, and company fields in a self-signed certificate serve no trust purpose. No CA has verified them. Anyone can enter any value. They appear in the certificate details when a user clicks the padlock, but the browser warning appears regardless of what is in these fields. Fill them with accurate information to avoid confusion, or use placeholders for a purely internal test certificate.
Part 3: Install the certificate on the domain
- On the SSL/TLS page, under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites
- Scroll down to Install an SSL Website
- In the Domain dropdown, select the domain you want to install the certificate on
- Click Browse Certificates. A list of certificates stored in your cPanel appears.
- Select the self-signed certificate you just generated. cPanel automatically fills in the Certificate (CRT) and Private Key (KEY) fields.
- The Certificate Authority Bundle (CABUNDLE) field remains empty for a self-signed certificate. There is no CA chain because the certificate is not issued by any CA. Leave this field blank.
- Click Install Certificate
- You receive an SSL Host Successfully Installed confirmation. Click OK.
The domain is now accessible via https://. Visitors to the HTTPS version will see a browser security warning because the certificate is not trusted by any public CA. This is expected and unavoidable for a self-signed certificate served to a browser.
After Installation: What to Expect and What the Warnings Mean
The browser warning is permanent
Every browser (Chrome, Firefox, Safari, Edge) shows a security warning for self-signed certificates. In Chrome: ‘Your connection is not private’ with error code NET::ERR_CERT_AUTHORITY_INVALID. In Firefox: ‘Warning: Potential Security Risk Ahead.’ These warnings cannot be suppressed for visitors. Each visitor must click through a warning to proceed.
For internal testing where you control the browsers (your own development machines), you can add an exception in the browser or import the self-signed certificate into the operating system trust store to suppress the warning for your own use. This does not suppress warnings for other visitors.
API calls and non-browser clients will also fail
curl, wget, Python requests, Node.js, and other HTTP clients fail certificate validation for self-signed certificates by default. They produce errors like SSL certificate problem: self-signed certificate or unable to get local issuer certificate. These clients can be configured to skip certificate validation (curl -k, Python verify=False) but this disables all certificate checking for the duration, which is only appropriate for local testing against your own server.
Search engines and the self-signed warning
Googlebot can crawl HTTPS pages but certificate errors affect crawling behavior. A site with consistent certificate warnings may see reduced crawling frequency. For any site where search indexing matters, use a trusted certificate. AutoSSL is free and automatic; there is no cost justification for using a self-signed certificate on a production site.
Replacing the Self-Signed Certificate with a Trusted Certificate
When you are ready to replace the self-signed certificate with a trusted one (either via AutoSSL or a purchased certificate), the process is straightforward in cPanel.
Using AutoSSL (Let’s Encrypt, free)
Once your domain’s DNS is pointed to the cPanel server: go to cPanel, Security section, SSL/TLS Status, and click Run AutoSSL. AutoSSL detects the domain, completes HTTP validation, and issues a trusted certificate. The new certificate automatically replaces the self-signed one. The browser warning disappears for all visitors once the new certificate is served.
Using a purchased certificate
After purchasing a certificate from a CA: generate a CSR in cPanel (SSL/TLS page, Certificate Signing Requests), submit the CSR to the CA, complete the CA’s domain validation, receive the issued certificate and CA bundle files, then install them in cPanel via SSL/TLS, Manage SSL Sites. When installing a purchased certificate, paste the CA bundle into the Certificate Authority Bundle field, which completes the certificate chain and eliminates the browser warning.
Before removing the self-signed certificate, confirm the new certificate is installed and working. Use the SSL Labs test (ssllabs.com/ssltest) to verify the certificate chain is complete and the domain passes validation. A brief overlap period where both certificates exist in cPanel is fine; cPanel serves the installed one, and you can delete the self-signed certificate from the Certificates list after confirming the new one works.
Common Issues After Installing a Self-Signed Certificate in cPanel
The domain still shows HTTP after installation
Installing the certificate enables HTTPS but does not force HTTP visitors to HTTPS. Add an HTTP to HTTPS redirect either in cPanel (Domains section, Redirects, add redirect from http://yourdomain.com to https://yourdomain.com) or in the .htaccess file at the site root. For WordPress sites, update Settings, General to use https:// in both the WordPress Address and Site Address fields before adding the redirect.
Mixed content warnings after enabling HTTPS
After installing the certificate and enabling HTTPS, pages may show a broken padlock due to mixed content: some resources (images, scripts, stylesheets) still load over HTTP. This happens because the site’s database or theme files contain hardcoded http:// URLs. For WordPress, the WP-CLI search-replace command or the Better Search Replace plugin replaces all stored http:// URLs with https://. For other CMS platforms, use the equivalent URL update tool or update the database directly.
Redirect loop after installation with Cloudflare
If the domain uses Cloudflare and Cloudflare’s SSL mode is set to Flexible, installing HTTPS on the origin server creates a redirect loop: Cloudflare connects to the origin over HTTP, the origin redirects to HTTPS, Cloudflare connects over HTTP again. Change the Cloudflare SSL mode to Full (if using a self-signed certificate on the origin) or Full (Strict) once a trusted certificate is installed. See the Cloudflare SSL guide in this series for the full explanation.
Frequently Asked Questions
What is a self-signed SSL certificate in cPanel?
A self-signed SSL certificate in cPanel is a certificate that you generate within the cPanel control panel and sign yourself, without involving a Certificate Authority. It encrypts the connection between visitors and your server using HTTPS, but browsers do not trust it because no independent CA has verified your identity. Visitors see a security warning when accessing your site. Self-signed certificates are appropriate for testing and development scenarios where browser warnings are acceptable; they are not appropriate for live public websites.
Why do visitors see a security warning with my self-signed certificate?
Browsers maintain a list of trusted Certificate Authorities. When a browser receives an SSL certificate, it checks whether the certificate was signed by one of these trusted CAs. A self-signed certificate was signed by you, not by a trusted CA, so it fails this check. The browser displays a warning to inform the visitor that the site’s identity cannot be verified. The warning cannot be suppressed for general visitors. The fix is to replace the self-signed certificate with one from a trusted CA: cPanel’s AutoSSL provides free trusted certificates automatically for domains pointing to the server.
Is AutoSSL better than a self-signed certificate?
Yes, for virtually all production uses. AutoSSL issues free Let’s Encrypt certificates that are trusted by all major browsers. No browser warning. Automatic renewal. No cost. The only scenario where AutoSSL cannot substitute for a self-signed certificate is when the domain’s DNS is not pointing to the cPanel server (because AutoSSL’s validation requires the domain to resolve to the server). In that case, a self-signed certificate covers HTTPS temporarily until DNS is updated and AutoSSL can run.
Can I install a self-signed certificate on multiple domains in cPanel?
Yes. Repeat the process for each domain: generate a new certificate for each domain (or generate a certificate that lists multiple domains in the Domains field), then install each certificate on the corresponding domain via Manage SSL Sites. Each domain requires its own certificate installation. A certificate generated for yourdomain.com does not cover subdomain.yourdomain.com; each needs its own certificate unless a wildcard entry is used in the Domains field (*.yourdomain.com).
How do I remove a self-signed certificate from cPanel?
Uninstall the certificate from the domain first: go to SSL/TLS, Manage SSL Sites, find the domain, and click Uninstall next to it. This removes the HTTPS certificate from that domain. Then delete the certificate entry from the Certificates list and delete the associated private key from the Private Keys list. Once uninstalled, the domain falls back to HTTP unless AutoSSL or another certificate is installed to replace it.
