StarDomain

Managing SSL Certificates in Plesk

Managing SSL Certificates in Plesk

Once your SSL certificates are installed, ongoing management ensures your websites remain secure and your certificates stay valid. This guide covers the day-to-day management tasks for SSL certificates in Plesk, including monitoring, renewal, troubleshooting, and advanced configuration.

Viewing Installed Certificates

To see all SSL certificates on your Plesk account:

  1. Log in to your Plesk control panel
  2. Go to Websites & Domains
  3. Click SSL/TLS Certificates for the relevant domain
  4. You will see a list of all certificates associated with the domain, including:

- Certificate name (your reference label)

- Domain the certificate covers

- Valid from / Valid to dates

- Certificate type (DV, OV, EV, or self-signed)

Tip: Certificates with a green checkmark are active and assigned to a domain. Unassigned certificates appear without the indicator.

Monitoring Certificate Expiration

SSL certificates have a limited validity period. Proactive monitoring prevents unexpected expiration:

In Plesk Dashboard

  1. The Websites & Domains overview shows SSL status for each domain
  2. Expiring certificates display warning indicators
  3. Plesk sends email notifications when certificates are approaching expiration (typically 30 days before)

Manual Check

  1. Go to SSL/TLS Certificates for your domain
  2. Click on the certificate name to view full details
  3. Note the Valid to date
  4. Set a calendar reminder for 30 days before expiration

Browser Check

  1. Visit your website at https://yourdomain.com
  2. Click the padlock icon in the address bar
  3. View certificate details to see the expiration date

Renewing SSL Certificates

Renewing Let's Encrypt Certificates

Let's Encrypt certificates in Plesk renew automatically:

  1. Renewal happens approximately 30 days before expiration
  2. The process is fully automated — no action required
  3. If auto-renewal fails, you will receive an email notification
  4. To manually trigger renewal, go to SSL/TLS Certificates and click Reissue Certificate

Renewing Paid SSL Certificates

For commercially purchased certificates:

  1. 30 days before expiration: Begin the renewal process with your certificate authority
  2. Generate a new CSR in Plesk (or reuse the existing one if your CA allows)
  3. Submit the renewal order and complete validation
  4. Once issued, upload the renewed certificate in Plesk
  5. Assign it to your domain (it may auto-assign if using the same certificate entry)
  6. Verify the new expiration date in your browser

Replacing an SSL Certificate

To replace an existing certificate with a new one:

  1. Go to Websites & Domains > SSL/TLS Certificates
  2. You can either:

- Update the existing entry: Click on the certificate name and upload the new certificate and key

- Add a new entry: Click Add SSL/TLS Certificate, upload the new cert, then change the domain assignment

  1. Go to Hosting Settings for the domain
  2. Select the new certificate from the Certificate dropdown
  3. Click OK

Important: When replacing a certificate, ensure the new certificate covers all the same domains and subdomains as the old one.

Removing SSL Certificates

To remove an SSL certificate you no longer need:

  1. First, unassign it from any domain (go to Hosting Settings and select a different certificate or disable SSL)
  2. Go to SSL/TLS Certificates
  3. Click the Remove (trash) icon next to the certificate
  4. Confirm the deletion

Warning: Do not remove a certificate that is currently assigned to a domain. This will cause HTTPS errors for your visitors.

Advanced SSL Configuration

HTTP Strict Transport Security (HSTS)

HSTS tells browsers to always use HTTPS for your domain:

  1. Go to Websites & Domains > your domain
  2. Click SSL/TLS Certificates or Hosting Settings
  3. Enable HSTS if available
  4. Set the max-age value (recommended: at least 31536000 seconds / 1 year)
  5. Optionally enable includeSubDomains to cover all subdomains

Warning: Only enable HSTS after confirming SSL works perfectly for all subdomains. Incorrect HSTS configuration can make your site inaccessible.

OCSP Stapling

OCSP Stapling improves SSL handshake performance:

  1. This is typically configured at the server level
  2. In Plesk, check Apache & nginx Settings for your domain
  3. Add the appropriate OCSP stapling directives in the nginx additional directives section:
ssl_stapling on;
ssl_stapling_verify on;

TLS Version Configuration

Modern security standards recommend disabling older TLS versions:

  1. Go to Tools & Settings > SSL/TLS Certificates (server-wide settings, if accessible)
  2. Ensure TLS 1.2 and TLS 1.3 are enabled
  3. Disable TLS 1.0 and TLS 1.1 (these are considered insecure)
  4. These settings may require server administrator access

Managing SSL for Multiple Domains

Individual Certificates Per Domain

  • Each domain under Websites & Domains can have its own certificate
  • Navigate to the specific domain and manage its SSL independently
  • This approach provides the most flexibility

Wildcard Certificates

If you have a wildcard certificate (*.example.com):

  1. Install it once under SSL/TLS Certificates
  2. Assign it to the main domain and all subdomains
  3. It will cover any subdomain under example.com
  4. The base domain (example.com) must also be included in the certificate SAN

Multi-Domain (SAN) Certificates

For certificates covering multiple different domains:

  1. The certificate must list all domains as Subject Alternative Names
  2. Install the certificate once
  3. It can be assigned to any of the listed domains
  4. Adding a new domain requires reissuing the certificate

Troubleshooting SSL Management Issues

Certificate Shows as Expired Despite Renewal

  • Ensure the renewed certificate is assigned to the domain in Hosting Settings
  • Clear your browser cache (old certificate may be cached)
  • Verify the new certificate was uploaded correctly

Let's Encrypt Renewal Fails

  • Verify domain DNS still points to the server
  • Check if .well-known/acme-challenge/ directory is accessible
  • Disable any proxy (Cloudflare, etc.) temporarily
  • Check Plesk's scheduled tasks for the Let's Encrypt renewal cron
  • Review Plesk logs: /var/log/plesk/panel.log (Linux) or Plesk Event Log (Windows)

Multiple Certificate Warnings

  • Ensure only one certificate is assigned per domain
  • Remove old, expired certificate entries to avoid confusion
  • Check that nginx and Apache are both using the same certificate

Performance Impact of SSL

  • Modern SSL/TLS has minimal performance impact
  • Enable HTTP/2 in Plesk for improved HTTPS performance
  • Use TLS 1.3 where possible for faster handshakes
  • Enable OCSP stapling to reduce certificate validation time

Best Practices for SSL Management

  1. Monitor expiration dates and renew certificates 30 days before they expire
  2. Use Let's Encrypt for domains that do not need OV/EV validation
  3. Enable HTTPS redirect (301) for all domains with SSL
  4. Keep certificates organized with clear naming conventions
  5. Remove unused certificates to maintain a clean certificate list
  6. Test after changes using an online SSL checker
  7. Enable HSTS for domains that will always use HTTPS
  8. Back up private keys securely in case of server migration
  9. Use strong key sizes (2048-bit RSA minimum, or ECDSA for better performance)
  10. Stay updated on SSL/TLS best practices and vulnerability advisories

Related Articles

  • How to Install an SSL Certificate in Plesk
  • Understanding SSL Certificate Types
  • Troubleshooting SSL Certificate Errors

For assistance managing your SSL certificates in Plesk, contact our support team at {{SUPPORT_EMAIL}} or visit {{SUPPORT_URL}}.

Need Help?
New TicketTrack TicketKnowledge BaseContact Us