The SSL Certificates page is where you import and manage your own certificates (PEM). After adding one, go to SSL Manager to attach it to a domain. If you just want automatic certificates, use AutoSSL in SSL Manager instead.

Who can use this

The signed-in account owner. Resellers/admins can manage certificates for your account.

Before you start

You need three PEM blocks (plain text):
• Certificate — begins with -----BEGIN CERTIFICATE----- (your leaf cert).
• Private Key — begins with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----, not password-protected.
• Certificate Authority (CA) — intermediate chain (one or more certs) to build a full trust chain.
The certificate’s names (CN/SANs) must match your domain(s). Wildcard *.example.com doesn’t cover example.com unless also listed.

What you see on this page

• Add Certificate opens a modal with three text areas for Certificate, Private Key, and CA bundle.
• The table lists: ID, Common name, Valid for FQDNs, Issuer, Valid from, Expires on, and Actions.
• Next to each SAN/FQDN you’ll see a lock icon: (public CA), (self-signed).

Add your certificate (step-by-step)

1) Click Add Certificate.
2) Paste the Certificate (one leaf cert).
3) Paste the matching Private Key (unencrypted).
4) Paste the Certificate Authority chain (one or more certs, intermediates first).
5) Click Add Certificate. On success, it appears in the list.
6) Open SSL Manager to select this certificate for your domain.

Delete a certificate

You can delete a certificate only if it isn’t assigned to any domain. If blocked, the message will list the domains using it. First switch those domains in SSL Manager to another cert (or None), then delete here.

Security tips

Keep private keys confidential. Use at least RSA-2048 or ECDSA P-256. If a key leaks, replace the certificate immediately and revoke the old one with your CA.

Troubleshooting

• “Invalid PEM/format”: ensure each block has proper BEGIN/END lines and no extra spaces.
• “Key does not match certificate”: you pasted a key for a different CSR; re-pair with the correct key.
• “Incomplete chain”: add the intermediate(s) in the CA field in the right order.
• Browser still not secure: after adding, assign the cert in SSL Manager; verify DNS points here; clear proxy/CDN caches.
• Self-signed shows warning: expected; use public CA for production.

Good practice

Track expiry dates, renew early, and keep one certificate that neatly covers the exact names you serve. Prefer AutoSSL unless you need EV/OV, wildcard via DNS-01, or a custom CA policy.

Next steps

Go to SSL Manager and select this certificate for your domain. Check the coverage icons; aim for green locks on the hostnames you actually serve.