Generating a CSR and Installing an SSL Certificate in Plesk

Generating a CSR and Installing an SSL Certificate in Plesk

James Rodriguez

Plesk handles the full SSL Certificate lifecycle inside the panel, from generating the Certificate Signing Request (CSR) through to serving the domain over Transport Layer Security (TLS), and it stores everything in a per-domain repository.

The model means each domain carries its own SSL Certificate entries, and the most common mistakes are simply working under the wrong domain or stopping one step early.

Prerequisites

You need a Plesk login with access to the subscription hosting the domain. Everything below happens under Websites & Domains for that specific domain, and your issued files will be available in the tracking system once validation completes. View Our Tracking & SSL Management 🔗

Generating the Certificate Signing Request

Under Websites & Domains, open SSL/TLS Certificates for the domain and choose to add an SSL Certificate. Give the entry a recognizable name, complete the hostname and organization fields, choose RSA at 2048 bits or stronger, and request.

Plesk generates the request and the Private Key together, storing both inside the entry. Open the entry to copy the request text, submit it when placing your order, and complete validation as normal. Learn About the Validation Procedure 🔗

Installing the Issued SSL Certificate

Once issued, return to the same entry in the SSL/TLS Certificates repository. The entry that holds the Private Key is the one to complete, never a freshly created one.

Paste the issued SSL Certificate into its field and the full ca-bundle from the Certificate Authority (CA) into the CA Certificate field, or upload both as files, then save. The ca-bundle field is what completes the chain for mobile devices and strict clients, so treat it as mandatory rather than optional. Learn About Intermediate Certificates 🔗

Securing the Domain

An entry in the repository protects nothing until the domain points at it. Open Hosting Settings for the domain, enable SSL/TLS support, select the completed entry in the SSL Certificate dropdown, and apply.

Plesk rewrites the web server configuration in the background, and the new SSL Certificate goes live within moments. Mail services on the same domain select their SSL Certificate separately under the mail settings, so secure those too when the SSL Certificate covers the mail hostname.

Note : Plesk also keeps a server-wide repository under Tools & Settings, used for securing Plesk itself and server services. Domain SSL Certificates belong in the domain repository, and pasting into the server-wide one by mistake leaves the website untouched.

With the domain secured, confirmation takes a minute.

Verifying the Installation

Load the site over HTTPS and confirm the SSL Certificate details in the browser. Then run an external scan to confirm the full chain reaches fresh clients, which validates the CA Certificate field was completed. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗

Troubleshooting Common Installation Problems

A save rejected over a key mismatch means the issued SSL Certificate was pasted into a different entry than the one holding its Private Key, or the original entry was deleted after submission. Locate the original entry, or complete a reissue against a fresh request when it is gone. Learn About Reissuing Your SSL Certificate 🔗

Mobile-only warnings mean the CA Certificate field was skipped. Edit the entry, add the ca-bundle, and save.

A site still serving the previous SSL Certificate after saving usually means Hosting Settings still points at the old entry. Select the new one and apply, then retest in a fresh browser session.

Automating Future Replacements

With industry validity periods stepping down over the coming years, repeating this cycle by hand becomes a recurring chore across every domain in the panel. Automation through the ACME protocol removes the manual work entirely, and Plesk environments adapt to it well.

Trustico® provides Certificate as a Service (CaaS) for exactly this purpose. Learn About Certificate as a Service (CaaS) 🔗

Professional Installation Assistance

Plesk keeps the happy path short, but subscriptions carrying many domains, mail services, and mixed repositories can still tangle.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering Certificate Signing Request (CSR) generation and SSL Certificate installation in Plesk, including the per-domain repository model, completing the original entry, the CA Certificate field, Hosting Settings assignment, the server-wide repository trap, Certificate as a Service (CaaS) automation, and the Trustico® Premium Installation service.

The Per-Domain Repository Model in Plesk

Plesk stores everything in a per-domain repository, so each domain carries its own SSL Certificate entries under Websites & Domains. The most common mistakes are simply working under the wrong domain or stopping one step early.

Completing the Original Entry That Holds the Private Key

Plesk generates the request and the Private Key together inside one entry, and that entry is the one to complete after issuance, never a freshly created one. A save rejected over a key mismatch means the issued SSL Certificate was pasted into a different entry, or the original entry was deleted after submission, which is resolved by locating the original entry or completing a reissue against a fresh request.

The CA Certificate Field and the Chain

Paste the full ca-bundle from the Certificate Authority (CA) into the CA Certificate field of the entry, or upload it as a file. This field is what completes the chain for mobile devices and strict clients, so treat it as mandatory rather than optional.

Securing the Domain in Hosting Settings

An entry in the repository protects nothing until the domain points at it, so enable SSL/TLS support in Hosting Settings, select the completed entry in the SSL Certificate dropdown, and apply. Mail services on the same domain select their SSL Certificate separately under the mail settings, so secure those too when the SSL Certificate covers the mail hostname.

Domain Repository Versus the Server-Wide Repository

Plesk also keeps a server-wide repository under Tools & Settings, used for securing Plesk itself and server services. Domain SSL Certificates belong in the domain repository, and pasting into the server-wide one by mistake leaves the website untouched.

Automating Replacements with Certificate as a Service (CaaS)

With industry validity periods stepping down over the coming years, repeating the replacement cycle by hand becomes a recurring chore across every domain in the panel. Automation through the ACME protocol removes the manual work entirely, and Trustico® provides Certificate as a Service (CaaS) for exactly this purpose.

Premium Installation Assistance for Plesk Environments

Plesk keeps the happy path short, but subscriptions carrying many domains, mail services, and mixed repositories can still tangle. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom