How to Install an SSL Certificate in Plesk (Let’s Encrypt & Manual)

May 28, 2026 Plesk on Linux
Summarize this article with:
Last update: May 28, 2026 7 min read

Overview

SSL certificates encrypt traffic between your visitors and your server. Without one, browsers flag your site as “Not Secure” and some will actively block access. If you’re running Plesk on a Linux VPS or dedicated server, you have two main options: install a free Let’s Encrypt certificate automatically through Plesk, or upload a certificate you’ve purchased from a third-party CA like Sectigo, DigiCert, or GlobalSign.

This article covers both methods. Let’s Encrypt is the right choice for most sites — it’s free, it auto-renews every 90 days, and Plesk handles the whole process for you. A paid cert makes sense if you need extended validation (EV), a wildcard for multiple subdomains, or your organisation has compliance requirements that mandate a specific CA.

These instructions apply to Plesk Obsidian 18.0.x, which is the current version as of 2026. If you’re on an older version, the UI paths are mostly the same but a few menu labels differ.

Prerequisites

  • Plesk Obsidian 18.0 or later (check under Server Management > Updates)
  • Admin or domain-owner access to Plesk
  • Your domain’s DNS A record pointing to the server’s IP — Let’s Encrypt will fail if DNS hasn’t propagated
  • Port 80 open on the server firewall (Let’s Encrypt uses HTTP-01 challenge validation)
  • For manual installs: your certificate file (.crt), private key (.key), and CA bundle (.ca-bundle or intermediate chain)
  • The Let’s Encrypt extension installed in Plesk (it’s included by default on most installs, but worth confirming)

Method 1: Install a Free Let’s Encrypt SSL Certificate

This is what I’d recommend for the majority of sites. Plesk’s Let’s Encrypt integration handles issuance, installation, and renewal automatically.

  1. Log in to Plesk and go to Websites & Domains.
  2. Find the domain you want to secure and click SSL/TLS Certificates.
  3. Click Install a free basic certificate provided by Let’s Encrypt.

    📝 Note: If you don’t see this option, the Let’s Encrypt extension may not be installed. Go to Extensions > Extensions Catalog, search for “Let’s Encrypt”, and install it. It’s free.

  4. On the Let’s Encrypt form, fill in:

    • Email address — used for expiry notices and recovery. Use a real address you monitor.
    • Include www subdomain — check this unless you have a specific reason not to. It secures both example.com and www.example.com.
    • Include wildcard — only available if you use DNS-01 challenge (requires Plesk to have API access to your DNS provider). Leave unchecked unless you need it.
  5. Click Get it free. Plesk will contact Let’s Encrypt’s servers, complete the domain validation challenge, and install the certificate. This usually takes 15–30 seconds.
  6. Once it’s done, you’ll see a confirmation with the certificate expiry date (90 days out). Plesk auto-renews it 30 days before expiry.
  7. To force HTTPS, go back to Websites & Domains, click Hosting Settings for the domain, and enable Permanent SEO-safe 301 redirect from HTTP to HTTPS. Click OK.

⚠ Warning: Don’t enable the HTTPS redirect until the certificate is confirmed as installed. Redirecting to HTTPS before the cert is in place will break the site for all visitors.

Method 2: Install a Manually Purchased SSL Certificate

If you’ve bought a certificate from a third-party CA, you’ll have received a .crt file, a .key file (your private key, generated when you created the CSR), and usually a CA bundle file containing the intermediate certificates. You need all three.

Step 1: Generate a CSR (if you haven’t already)

If you already have your certificate files, skip to Step 2. If you need to generate a CSR in Plesk:

  1. Go to Websites & Domains > SSL/TLS Certificates for your domain.
  2. Click Add SSL/TLS Certificate.
  3. Fill in the certificate name (for your reference), your organisation details, and the domain name.
  4. Click Request. Plesk generates a CSR and private key, both stored in Plesk.
  5. Copy the CSR text and submit it to your CA to purchase and issue the certificate.

Step 2: Upload and Install the Certificate

  1. Go to Websites & Domains > SSL/TLS Certificates.
  2. Click Add SSL/TLS Certificate.
  3. Give the certificate a recognisable name (e.g. example.com-sectigo-2026).
  4. Scroll to the Upload the certificate files section. You can either paste the certificate text directly or upload the files:

    • Certificate (*.crt) — the certificate your CA issued
    • CA Certificate (*.ca-bundle) — the intermediate chain file
    • Private Key (*.key) — your private key
  5. Click Upload Certificate.
  6. Now assign it to the domain. Go back to SSL/TLS Certificates and click Assign certificate to this domain (or you may see a dropdown to select the certificate). Select the certificate you just uploaded and click OK.

📝 Note: The private key must match the certificate. If you generated the CSR outside of Plesk (e.g. on the command line with OpenSSL), make sure you’re uploading the correct key. A mismatch will throw an error during the upload step.

You can verify the key matches the certificate from the server command line:

# These two commands should output the same MD5 hash if the key matches the cert
openssl x509 -noout -modulus -in /path/to/your.crt | openssl md5
openssl rsa -noout -modulus -in /path/to/your.key | openssl md5

If the hashes match, you’re good. If they don’t, you’ve got the wrong key file.

Verify the SSL Certificate is Working

After installing, visit your site over HTTPS and check the padlock. For a more thorough check, run your domain through SSL Labs — it’ll flag weak cipher suites, chain issues, and mixed content problems that the browser won’t obviously surface.

If you’re on a VPS SSD Hosting plan with Host & Tech, you can also confirm the certificate from the server itself:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -subject -dates

This prints the certificate’s subject and expiry dates directly. Useful when you want to confirm which cert is actually being served without going through a browser.

Common Issues & Troubleshooting

Let’s Encrypt Error: “Could not issue a Let’s Encrypt SSL/TLS certificate”

This is the most common one, and the error message is frustratingly vague. The actual cause is almost always one of three things: DNS hasn’t propagated yet, port 80 is blocked by a firewall rule, or there’s a CAA DNS record on the domain that’s restricting which CAs can issue for it.

Check DNS first:

dig A yourdomain.com +short

If the IP returned isn’t your server’s IP, DNS hasn’t propagated — wait and try again. If DNS looks correct, check your firewall:

# On servers using firewalld
firewall-cmd --list-ports

# On servers using iptables
iptables -L INPUT -n | grep 80

Port 80 must be open. Let’s Encrypt needs it for HTTP-01 validation even if you plan to run HTTPS-only.

“The certificate and private key do not match”

You’ve uploaded a certificate that was issued for a different CSR than the private key you have. This happens when someone regenerates the CSR without keeping track of which key goes with which certificate. Use the OpenSSL modulus check shown in the installation steps above to identify the correct pair.

Certificate Installed But Site Still Shows HTTP or Mixed Content

The cert is installed but something on the page is still loading over HTTP — usually hardcoded image URLs, script tags, or stylesheet links in the database. For WordPress sites this is very common. Check the browser console (F12 > Console) for mixed content warnings. The URLs listed there are the culprits. A search-replace in the database or a plugin like Really Simple SSL will fix it.

Let’s Encrypt Certificate Not Auto-Renewing

Plesk handles renewal via a scheduled task. If renewals are silently failing, check Tools & Settings > Scheduled Tasks for the plesk sbin letsencrypt task and make sure it’s enabled. Also check the Plesk error log:

tail -n 100 /var/log/plesk/panel.log | grep -i letsencrypt

Rate limit errors from Let’s Encrypt (too many certificates already issued) mean you’ve hit the 5 duplicate certificates per week limit — usually caused by repeated failed attempts. Wait a week, fix the underlying DNS or firewall issue, and try again.

“SSL certificate expired” After Manual Install

Paid certificates don’t auto-renew in Plesk. You need to go through the manual upload process again with a new certificate from your CA before the expiry date. Set a calendar reminder for 30 days before expiry. This is the one area where Let’s Encrypt’s auto-renewal is genuinely more reliable than a paid cert if someone forgets to manage it.

FAQ

Frequently Asked Questions

Does Let's Encrypt SSL work with Plesk on a VPS?

Yes, Let’s Encrypt works on any Plesk server where port 80 is accessible and DNS resolves correctly to the server’s IP. It’s the most common setup on VPS hosting. As long as the Let’s Encrypt extension is installed in Plesk, the process is fully automated including renewal.

How do I renew an SSL certificate in Plesk?

For Let’s Encrypt certificates, Plesk renews them automatically 30 days before expiry — you don’t need to do anything. For manually installed paid certificates, you’ll need to purchase a renewal from your CA, then repeat the upload process under Websites & Domains > SSL/TLS Certificates. There’s no automatic renewal for third-party certs.

Can I install a wildcard SSL certificate in Plesk?

Yes, but wildcard certificates via Let’s Encrypt require DNS-01 challenge validation, which means Plesk needs API access to your DNS provider to create TXT records automatically. If your DNS provider isn’t supported, you’ll need to handle DNS validation manually or use a paid wildcard cert instead.

How many SSL certificates can I install in Plesk?

There’s no hard limit from Plesk itself — you can install one certificate per domain or subdomain. Each subscription (domain) in Plesk has its own SSL/TLS Certificates section. If you’re managing multiple domains, you’ll install and assign certificates individually for each one.

Why does my Plesk site show a certificate error after installing SSL?

The most common cause is a missing or incomplete CA bundle (intermediate certificate chain). Browsers trust the CA chain, not just the end certificate. If you uploaded only the domain certificate without the intermediates, some browsers will show a trust error. Re-upload with the full chain file your CA provided (.ca-bundle or .pem containing the intermediates).

Related Articles

How to Restore a Backup in Plesk: Step-by-Step Guide How to Manage PHP Versions in Plesk (Per Domain and Server-Wide) Plesk Nginx Failed to Start: How to Diagnose and Fix the Error

SHARE THIS ARTICLE

Need help with your hosting?

Host & Tech provides 24/7 support for all VPS, dedicated, and shared hosting customers.

Contact Support View Plans
Scroll to Top