This guide walks you through every step of using the Trustico® CaaS cPanel plugin to retrieve and install your SSL Certificate. Whether you are securing a single website or multiple subdomains, this guide covers the complete process. Learn About The Trustico® CaaS cPanel Plugin 🔗
Ready to Install? Server administrators can download and install the plugin on their servers. View Our Installation Guide 🔗
Prerequisites
Before using the plugin, make sure you have an active Trustico® SSL Certificate order that supports Certificate as a Service (CaaS). You will need the EAB Key ID and EAB HMAC Key provided with your order confirmation e-mail.
You will also need access to cPanel on your hosting server with the Trustico® CaaS plugin installed. If the plugin is not yet installed, refer to the installation guide or ask your server administrator. Discover How to Obtain Your CaaS Credentials 🔗
Selecting Your Virtual Host
After opening the plugin from the "Security" section in cPanel, you will see a dropdown labeled "Select Your Virtual Host." A virtual host is the primary hosted domain on your cPanel account.
If you have multiple websites hosted on the same cPanel account, each one appears as a separate virtual host in the dropdown.
Select the virtual host you would like to secure. Three sections will appear below the dropdown showing the current SSL Certificate coverage : the Virtual Host table, the Website Domains table, and the Service Domains table.
Coverage Tables Explained
The plugin displays your SSL Certificate coverage using the same method cPanel uses on its own SSL/TLS Status page. Each domain name is checked against the installed SSL Certificate's Subject Alternative Names (SANs) to determine whether it is covered.
Virtual Host Table
The Virtual Host table shows the SSL Certificate currently installed on your hosted domain. It displays the issuer, the expiry date with days remaining, and the overall status.
If no SSL Certificate is installed, you will see "No SSL" in amber, letting you know that your website does not currently have an SSL Certificate.
Website Domains Table
The Website Domains table shows the domain names your visitors use to access your website. Each row has a checkbox allowing you to select which domain names to include on your new SSL Certificate.
The Status column shows "Active" in green if the domain name is covered by the currently installed SSL Certificate, or "Inactive" in gray if it is not.
Most customers secure their website with both the root domain (example.com) and the www version (www.example.com). If your SSL Certificate license includes a Wildcard, you will also see a *.example.com entry which covers all subdomains.
Service Domains Table
The Service Domains table shows cPanel service subdomains such as cpanel.example.com, webmail.example.com, and webdisk.example.com. These are used by cPanel services rather than your website visitors.
Service Domains are automatically secured when your SSL Certificate includes a Wildcard SAN or an explicit domain name covering them. You can select these if your license covers them.
Form Completion
After selecting the domain names to include on your SSL Certificate, scroll down to the "Retrieve SSL Certificate" form and complete each field.
SSL Certificate Type
Select the SSL Certificate type that matches your Trustico® order. Four options are available : Trustico® Domain Validation (DV), Trustico® Organization Validation (OV), Sectigo Domain Validation (DV), and Sectigo Organization Validation (OV).
Your EAB credentials are associated with the specific type you purchased. Selecting the wrong type will result in a registration error, so make sure the selection matches your order.
Validation Method
The Validation Method defaults to "Automatic (Recommended)" which uses HTTP-01 for standard domains and DNS-01 for Wildcard domains. You generally do not need to change this setting.
If you check a Wildcard domain name in the Website Domains table, the dropdown automatically switches to "DNS-01 for All Domains" and becomes locked.
Choose "DNS-01 for All Domains" manually if HTTP validation is blocked by a firewall, CDN, or proxy service. DNS-01 validation works by creating temporary Domain Name System (DNS) TXT records and does not require your website to be accessible from the internet.
Processing Timeout
The Processing Timeout defaults to 24 hours, which allows sufficient time for the Certificate Authority (CA) to process your request. The Certificate Authority (CA) may take varying amounts of time depending on the validation method and server load. You can reduce the timeout if preferred and close the page during processing to return later.
EAB Credentials
Enter the EAB Key ID provided with your Trustico® order in the first credential field. This identifier links your SSL Certificate request to your purchase.
Enter the EAB HMAC Key in the second field. This is a secret key that authenticates your request and should be kept confidential. The HMAC Key field is masked for security.
SSL Certificate Retrieval
When you retrieve an SSL Certificate through this plugin, a copy is stored and managed independently of cPanel. Automatic reissue ensures your SSL Certificate is replaced before it expires without any action on your part. If a valid SSL Certificate already exists from a previous retrieval, the plugin will reinstall it automatically. Select force issuance only if you require a completely new SSL Certificate and Private Key to be retrieved from the Certificate Authority (CA).
cPanel AutoSSL
cPanel AutoSSL is a built-in cPanel feature that may interfere with your Trustico® SSL Certificate by automatically overwriting it without your knowledge. This option sets your Trustico® SSL Certificate as the primary SSL Certificate for your virtual host and instructs cPanel to disable AutoSSL for the virtual host domains. We recommend this option as it ensures your paid license is being utilized.
The "Enable Trustico® CaaS Primarily (Recommended)" option is selected by default. This sets your Trustico® SSL Certificate as the primary SSL Certificate and excludes all domains on your virtual host from cPanel AutoSSL management. This exclusion is persistent and remains in effect until manually reversed from the cPanel SSL/TLS Status page.
Submitting Your Request
Click the "Retrieve SSL Certificate" button to begin the process. The plugin validates your selections, verifies domain ownership, and starts the SSL Certificate issuance in the background.
The form is replaced by the SSL Certificate Request Status section showing the progress of your request.
Monitoring Your Request
After submitting, the SSL Certificate Request Status section shows a pulsing indicator with the current step and an elapsed time counter. For HTTP-01 validation, the process typically completes in under a minute. DNS-01 validation requires the Certificate Authority (CA) to verify Domain Name System (DNS) records, which can take anywhere from a few minutes to several hours depending on how quickly the Certificate Authority (CA) processes the request.
You can close the page at any time during processing. When you return to the plugin page, it automatically detects the active request and resumes showing the progress. You can also abort an active request if needed.
When the request completes successfully, you will see a green status with the message "SSL Certificate Installed - Automatic Reissue Management Configured." The coverage tables refresh automatically. You can dismiss the completed status to return to the form.
If the request fails, the status section shows the error with an option to view the technical log, which includes the specific error message from the Certificate Authority (CA).
After Installation
Once your SSL Certificate is installed, your website immediately begins serving HTTPS. The plugin configures automatic reissue so the SSL Certificate is reissued before it expires without any action on your part.
You can return to the plugin at any time to view the current SSL Certificate status for your virtual host. The coverage tables show which domain names are secured.
If you need to change the domain names covered by your SSL Certificate, you can submit a new request with the desired domain names selected. Submitting a new request replaces the existing SSL Certificate on the virtual host.
Troubleshooting
If you encounter an issue, the following guidance covers the most common problems and their solutions.
ACME Account Registration Failed
This error occurs when the EAB credentials do not match the selected SSL Certificate type. Verify that the correct type is selected in the dropdown.
For example, if you purchased a Sectigo Domain Validation (DV) SSL Certificate, make sure "Sectigo Domain Validation (DV) SSL Certificate" is selected rather than "Trustico® Domain Validation (DV) SSL Certificate." Also verify that the EAB Key ID and HMAC Key are entered correctly with no extra spaces.
Domain Validation Failed
HTTP-01 validation requires the domain to resolve to the hosting server and the web root to be accessible from the internet. If your domain is behind a CDN, firewall, or proxy, switch to "DNS-01 for All Domains."
DNS-01 validation requires the server to manage the Domain Name System (DNS) zone for the domain. If the zone is managed externally (such as at a domain registrar or Cloudflare), DNS-01 validation will fail because the plugin cannot create the required TXT records.
Processing Timeout
If a DNS-01 request times out, you can dismiss the failed request and try again. The default timeout is 24 hours which allows sufficient time for the Certificate Authority (CA) to complete validation. You can reduce the timeout if preferred, but shorter timeouts may result in the request being stopped before the Certificate Authority (CA) finishes processing.
If the request fails, the status section shows the error. You can dismiss it and submit a new request with the same EAB credentials.
Missing Domain Coverage
If a domain shows "Inactive" after installation, it means the SSL Certificate's Subject Alternative Names (SANs) do not include that domain name.
A single site SSL Certificate covers only the root domain. To cover subdomains such as www or mail, you need a Wildcard SSL Certificate or a multi-domain SSL Certificate that includes those names.
Cooldown Period
After issuing an SSL Certificate, a short cooldown period prevents duplicate requests and protects against Certificate Authority (CA) rate limits. If a cooldown message appears, wait the indicated time before trying again.
Resubmission Delays
Resubmitting an SSL Certificate request for the same domain within an existing license period may result in the Certificate Authority (CA) taking longer to process the request. This is normal behaviour and the process will continue in the background. Allow up to 24 hours for the process to complete. The status will update throughout the process and you can close the page and return later to check the result.
Frequently Asked Questions
The following questions and answers cover the most common topics customers ask about when using the Trustico® CaaS cPanel plugin.
Understanding EAB Credentials
External Account Binding (EAB) credentials are provided when you purchase an SSL Certificate license from the Trustico® online store. The EAB Key ID identifies your purchase and the HMAC Key authenticates your request.
Both are required to retrieve the SSL Certificate through the plugin. Discover How to Obtain Your CaaS Credentials 🔗
Reusing EAB Credentials
EAB credentials can be used to issue and reissue the SSL Certificate for the licensed domain names. The automatic reissue process uses the same credentials without requiring you to re-enter them.
Comparing HTTP-01 with DNS-01 Validation
HTTP-01 validation places a temporary file on the web server to prove domain control. It is fast but requires the domain to resolve to the server and the web root to be accessible.
DNS-01 validation creates a temporary Domain Name System (DNS) TXT record to prove domain control. It is required for Wildcard SSL Certificates and works even when the domain is behind a CDN or firewall, as long as the server manages the DNS zone.
Expected Issuance Time
HTTP-01 validation typically completes in under a minute. DNS-01 validation requires Certificate Authority (CA) processing in addition to DNS record propagation and can take anywhere from a few minutes to several hours. You can close the page and return later to check the result.
Impact on Your Existing SSL Certificate
When a new SSL Certificate is installed, it replaces the existing SSL Certificate on the virtual host. Domain names not included in the new SSL Certificate will show as "Inactive" in the coverage tables.
Understanding Service Domains
Service Domains are cPanel service subdomains such as cpanel.example.com, webmail.example.com, and webdisk.example.com. These are automatically secured when the installed SSL Certificate covers them through a Wildcard SAN or an explicit domain name.
SSL Certificate Reissue
SSL Certificates installed through the Trustico® CaaS plugin are reissued automatically before they expire. No manual action is required.
Plugin Unavailable
Direct your server administrator to the installation guide for the Trustico® CaaS cPanel plugin. Installation requires a single script run as root via Secure Shell (SSH) and makes the plugin available to every cPanel user.
If you manage your own cPanel server, you can install the plugin yourself. View Our Installation Guide 🔗
Ready to Install? Server administrators can download and install the plugin on their servers. View Our Installation Guide 🔗
