SSL certificates secure the connection between your website and its visitors, enabling HTTPS. This guide covers the two main methods for getting SSL set up on your hosting account: the free automatic option via AutoSSL, and manually installing a paid or custom certificate.
Most customers should use AutoSSL. If you are on a Host Media shared or reseller hosting plan, free SSL certificates are available via AutoSSL and Let's Encrypt. There is no need to purchase an SSL certificate for most websites, read Method 1 first.
Method 1: AutoSSL (free, automatic)
AutoSSL automatically issues and renews free SSL certificates for all domains on your hosting account using Let's Encrypt. In most cases it runs automatically and your domain will already have a valid SSL certificate, you just need to ensure HTTPS is being used.
Checking your AutoSSL status
- Log in to cPanel.
- Scroll to the Security section and click SSL/TLS Status.
- You will see a list of all domains on your account with their current SSL status. Domains with a padlock icon and green text have a valid certificate installed.
- If a domain shows as not secured, tick the checkbox next to it and click Run AutoSSL. The certificate will be issued within a few minutes.
Common reasons AutoSSL may fail
- The domain's DNS is not yet pointing to your Host Media hosting, AutoSSL cannot issue a certificate for a domain it cannot verify. Ensure your A record or nameservers are pointing correctly and try again once DNS has propagated
- The domain has a CAA record that excludes Let's Encrypt, check your DNS for a CAA record and either remove it or add
letsencrypt.orgas an allowed certificate authority - The domain uses Cloudflare with proxy mode enabled, temporarily set the DNS record to DNS-only (grey cloud) in Cloudflare while AutoSSL runs, then re-enable the proxy afterwards
If AutoSSL continues to fail after checking the above, open a support ticket and our team can investigate further.
Method 2: Installing a paid or custom SSL certificate
If you have purchased an SSL certificate from a third-party provider (such as Sectigo, DigiCert, or GlobalSign), or you need to install a wildcard or EV certificate, you can install it manually via cPanel.
What you will need
Your SSL provider will give you the following files once your certificate is issued. Have these ready before starting:
- Certificate (CRT) - your SSL certificate file
- Private key (KEY) - generated when you created your CSR
- CA Bundle / Intermediate certificate - provided by your SSL issuer to complete the chain of trust
Generating a CSR (if you have not already)
If your SSL provider requires a Certificate Signing Request, generate one in cPanel first:
- In cPanel, go to Security → SSL/TLS.
- Click Certificate Signing Requests (CSR).
- Fill in the form with your domain name and organisation details. The most important field is Domains, enter your domain exactly as it should be secured (e.g.
yourdomain.com). - Click Generate. Copy the CSR text that appears and submit it to your SSL provider.
Installing the certificate
- In cPanel, go to Security → SSL/TLS.
- Click Install and Manage SSL for your site (HTTPS).
- Select your domain from the dropdown.
- Paste your certificate into the Certificate (CRT) field.
- Paste your private key into the Private Key (KEY) field. If cPanel does not auto-populate this, you will find the key under SSL/TLS → Private Keys.
- Paste your CA Bundle into the Certificate Authority Bundle (CABUNDLE) field.
- Click Install Certificate.
The certificate will be active immediately. Verify it is working by visiting https://yourdomain.com and checking for the padlock in the browser address bar.
Forcing HTTPS on your site
Once SSL is installed, visitors who type your domain without https:// may still land on the HTTP version. To redirect all traffic to HTTPS automatically, add the following to your .htaccess file in your public_html folder:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]For WordPress sites, you can also enable this via Settings → General in the WordPress dashboard by changing both the WordPress Address and Site Address to use https://.
Mixed content warnings
After enabling HTTPS, your browser may show a warning or broken padlock even though SSL is installed. This is usually caused by mixed content, some resources on the page (images, scripts, stylesheets) are still being loaded over HTTP rather than HTTPS.
For WordPress sites, the Better Search Replace plugin can update all HTTP references in your database to HTTPS in a few clicks. For non-WordPress sites, search your HTML and CSS files for http://yourdomain.com references and update them to https://.
SSL certificate renewal
AutoSSL certificates renew automatically every 90 days, no action is required from you. If you have a paid certificate, your SSL provider will email you before expiry. You can then install the renewed certificate following the same steps in Method 2 above.
