Skip to main content

Custom SSL Certificates and Troubleshooting

While FREAKHOSTING provides free SSL certificates through Let’s Encrypt for every website, some organizations require a certificate from a specific certificate authority for compliance, extended validation (EV), organization validation (OV), or wildcard coverage. The Web Hosting Control Panel at web.freakhosting.com allows you to install these custom certificates and manage them alongside your free certificates. This guide walks you through installing custom SSL certificates step by step (with real examples of what goes in each field), renewing them manually, and troubleshooting the most common SSL issues you are likely to run into.

Difficulty

Intermediate

Time

10 Minutes
If you are looking for general SSL management, Force HTTPS settings, or information about the free Let’s Encrypt certificates, see our core guide: How to Manage SSL Certificates and HTTPS.

When You Need a Custom SSL Certificate

The free Let’s Encrypt certificates are ideal for most websites, but there are situations where a custom certificate from a third-party authority is the better choice:

Extended Validation (EV)

EV certificates display your organization’s verified name in browser security indicators. This is often required by financial institutions, e-commerce platforms, and enterprise businesses to build maximum visitor trust.

Organization Validation (OV)

OV certificates verify your organization’s identity and are commonly required for corporate websites, government portals, and applications that handle sensitive business data.

Wildcard Certificates

A wildcard certificate secures your main domain and all its subdomains with a single certificate (for example, *.yourdomain.com covers shop.yourdomain.com, blog.yourdomain.com, api.yourdomain.com, and any other subdomain). This is useful when you manage many subdomains and want simplified certificate management.

Compliance Requirements

Some industries, auditors, or payment processors require certificates from specific certificate authorities (such as DigiCert, Comodo, or Sectigo) rather than free automated providers. If your auditor says “you need a certificate from an approved CA,” this is the path to take.

Installing a Custom SSL Certificate

1

Obtain Your Certificate Files

Purchase or generate an SSL certificate from your preferred certificate authority. After they validate your domain (and optionally your organization), you will receive three pieces of information that you need to install the certificate:
FileWhat It IsWhat It Looks Like
Certificate (CRT)The main SSL certificate issued for your domain. Your CA provides this as a .crt or .pem file.Starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. A block of base64-encoded text in between.
Private Key (KEY)The secret key generated when you created your Certificate Signing Request (CSR). This must match the certificate exactly.Starts with -----BEGIN PRIVATE KEY----- (or -----BEGIN RSA PRIVATE KEY-----) and ends with the corresponding END line.
Certificate Chain / CA BundleThe intermediate and root certificates from your CA. This lets browsers verify the full trust chain from your certificate back to a trusted root authority.One or more certificate blocks stacked together, each with their own BEGIN and END lines.
Keep your private key file secure and never share it publicly. Anyone with access to your private key can impersonate your website’s SSL certificate. If you think your private key has been compromised, revoke the certificate with your CA immediately and generate a new one.
2

Log In to the Control Panel

Open your browser and go to web.freakhosting.com. Log in with your credentials to access the Web Hosting Control Panel dashboard.
3

Select Your Website and Open the Security Tab

From the dashboard, click on the website you want to install the custom certificate on. Then click the Security tab in the top navigation bar. You will see the SSL certificates page with the heading “Security” and the SSL certificates section in the left sidebar.
4

Click Install Custom SSL

Click the Install custom SSL button located near the top of the SSL certificates section. This opens the custom certificate installation form with fields for each piece of your certificate.
5

Paste Your Certificate Details Into Each Field

The installation form has three fields. Here is exactly what to paste into each one:Certificate (CRT) field — Open your .crt file in a text editor and copy everything, including the header and footer lines:
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQEL
BQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5
... (your certificate data) ...
-----END CERTIFICATE-----
Private Key (KEY) field — Open your .key file and copy everything:
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7o4qne60TB3pq
... (your private key data) ...
-----END PRIVATE KEY-----
Certificate Chain / CA Bundle field — Open your CA bundle file and copy all certificate blocks. If your provider gave you separate intermediate and root files, paste them in order with the intermediate first and the root last:
-----BEGIN CERTIFICATE-----
(intermediate certificate data)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root certificate data)
-----END CERTIFICATE-----
Make sure you copy the entire contents of each file, including the -----BEGIN and -----END lines. A common mistake is accidentally leaving out the first or last line when copying. If any of those header/footer lines are missing, the installation will fail.
6

Save and Install

Review the information you entered, then click the button to install the certificate. The control panel will validate that the private key matches the certificate and that the chain is complete. If everything checks out, your custom certificate is applied to your domain immediately.
Make sure the private key matches the certificate you are installing. If the private key does not correspond to the certificate (for example, if you generated a new CSR but are using an old key), the installation will fail with a validation error. Your certificate authority’s documentation will explain how to correctly generate and pair these files.
Custom SSL certificates will appear in the SSL certificates table alongside your Let’s Encrypt certificates. The Certificate column will show the name of the issuing authority (such as DigiCert or Sectigo) instead of Let’s Encrypt, making it easy to tell them apart.

Manual Renewal for Custom Certificates

Custom SSL certificates from third-party providers are not renewed automatically by the hosting system. You are responsible for renewing them before they expire. The expiry date is displayed on the Security tab in the SSL certificates table. When a custom certificate expires, the status badge changes from green Active to red Expired, and your visitors will start seeing browser security warnings.
1

Renew with Your Certificate Authority

Log in to your certificate provider’s website (DigiCert, Comodo, Sectigo, etc.) and renew or reissue your SSL certificate. Do this before the expiry date shown on the Security tab. Most providers allow you to renew up to 30 days early without losing any remaining time.
2

Download the New Certificate Files

After renewal, download the new certificate file (CRT), private key (if you regenerated the CSR), and certificate chain (CA bundle) from your provider.
3

Install the Renewed Certificate

Go to the Security tab in the control panel and click Install custom SSL. Paste the new certificate details into the same three fields (CRT, KEY, CA Bundle) and save. The new certificate replaces the expiring one.
Set a calendar reminder for two weeks before your custom certificate’s expiry date. This gives you plenty of time to complete the renewal process and avoid any interruption to your website’s HTTPS connection. Waiting until the last day is risky because CA validation can sometimes take a few business days.

Troubleshooting Common SSL Issues

This is the most alarming SSL error your visitors can encounter. Chrome displays a full-page warning with a red triangle and the message “Your connection is not private,” along with the error code NET::ERR_CERT_DATE_INVALID or similar. Here is what causes it and what to do:
  • Expired certificate: Check the Security tab. If you see a red Expired badge, your certificate has passed its expiry date. For Let’s Encrypt, verify your DNS is still pointed at FREAKHOSTING and wait for automatic re-issuance. For custom certificates, renew with your CA and reinstall.
  • Certificate not yet issued: If you just added a domain, the Let’s Encrypt certificate may still be provisioning. Wait 15 to 30 minutes and check again.
  • Wrong domain: The certificate might cover yourdomain.com but not www.yourdomain.com (or vice versa). Make sure both domain variations are added under the Domains tab so each gets its own certificate.
  • Clock issues: Rarely, a visitor’s computer clock is set to the wrong date, which makes valid certificates appear expired. This is on the visitor’s end, not yours.
The most common reason for this is that your domain’s DNS is not pointed to the FREAKHOSTING nameservers. Let’s Encrypt needs to verify domain ownership through DNS, and this only works when your domain is using the correct nameservers.What to check:
  1. Log in to your domain registrar (where you bought the domain) and verify that your nameservers are set to the ones provided by FREAKHOSTING.
  2. Make sure there are no conflicting DNS records (like a CNAME or A record pointing elsewhere).
  3. After updating your DNS, allow up to 24 hours for propagation.
  4. Check the Security tab again. The certificate should appear with a green Active badge once DNS resolves correctly.
If a Let’s Encrypt certificate shows the red Expired badge, automatic renewal has failed. This typically happens when:
  • DNS records have been changed and the domain is no longer pointing to your FREAKHOSTING hosting.
  • The domain was temporarily pointed to another service (like a staging server or CDN) and was not pointed back in time.
  • There was a temporary DNS resolution issue.
Fix: Verify your DNS settings and make sure your domain resolves to your FREAKHOSTING server. Once DNS is correct, the system will automatically attempt to issue a new certificate. If the issue persists after 24 hours, contact our support team.If a custom certificate shows as Expired, you need to renew with your certificate authority and reinstall the new certificate using the installation steps above. There is no automatic renewal for custom certificates.
This usually indicates a mixed content issue. Your website loads over HTTPS, but some resources on the page (like images, scripts, or stylesheets) are still being pulled over plain HTTP. Browsers downgrade the security indicator because the page is not fully encrypted.How to find and fix mixed content:
  1. Open your website in Chrome and press F12 to open Developer Tools.
  2. Click the Console tab. Mixed content warnings will appear as yellow or red messages showing exactly which URLs are loading over HTTP.
  3. Update those resource URLs in your website’s code or CMS settings to use https:// instead of http://. Often it is as simple as changing http://yourdomain.com/images/logo.png to https://yourdomain.com/images/logo.png.
  4. In WordPress, you can use a plugin like Really Simple SSL to automatically detect and fix mixed content issues across your entire site.
Try these steps in order:
  1. Clear your browser cache and try again. Browsers aggressively cache redirects, and you might be seeing a stale response.
  2. Test in a private/incognito window to rule out caching entirely.
  3. Check the certificate status on the Security tab. The Force HTTPS redirect cannot work properly without a valid, active certificate. If the badge is red, fix the certificate first.
  4. Verify you enabled Force HTTPS for the correct domain. If you have both yourdomain.com and www.yourdomain.com in the table, make sure the toggle is enabled on the specific domain your visitors are accessing.
Double-check the following common causes:
  • Private key mismatch: The private key must be the exact one that was generated along with the Certificate Signing Request (CSR) for that specific certificate. If you generated a new CSR during renewal, you need the new private key that came with it, not the old one.
  • Missing certificate chain: Make sure you are pasting the full CA bundle (intermediate certificates) from your certificate authority into the Certificate Chain field. Missing chain certificates will cause a validation error. Your CA’s download page usually provides the bundle as a separate file.
  • Incomplete copy/paste: A very common mistake is accidentally cutting off the -----BEGIN CERTIFICATE----- or -----END CERTIFICATE----- lines when copying. Make sure each field includes the full contents with all header and footer lines.
  • Wrong file format: The control panel expects PEM-encoded certificates (the text-based format with BEGIN/END headers). If your CA provided a binary DER format (.der or .cer), you will need to convert it to PEM first. Your CA’s documentation will have conversion instructions, or you can use an online PEM converter.
  • Expired certificate: Double-check that the certificate you are trying to install has not already expired. Check the validity dates in your certificate files before pasting them in.
This happens because yourdomain.com and www.yourdomain.com are treated as separate domains, and each needs its own SSL certificate entry.For Let’s Encrypt (free) certificates:
  1. Go to the Domains tab for your website in the control panel.
  2. Make sure both yourdomain.com and www.yourdomain.com are listed as domains.
  3. If one is missing, add it. A Let’s Encrypt certificate will be automatically provisioned for the new domain within a few minutes.
  4. Check the Security tab to confirm both domains show a green Active badge.
For custom certificates: Make sure your certificate covers both domain variations. If you purchased a certificate only for yourdomain.com, it will not work for www.yourdomain.com. You can either purchase a certificate that includes both names as Subject Alternative Names (SANs), or use a wildcard certificate (*.yourdomain.com) which covers all subdomains including www.
This error usually means the browser and server could not agree on how to establish a secure connection. Common causes include:
  • Certificate not yet fully installed: If you just installed or renewed a certificate, wait a few minutes for the change to propagate across the server.
  • Incorrect certificate chain order: Some servers are particular about the order of certificates in the CA bundle. Try arranging them with your domain certificate first, intermediate certificates next, and root certificate last.
  • Browser or network issue: Try a different browser or device. Corporate firewalls and antivirus programs sometimes interfere with SSL connections.
If the error persists after checking these items, contact our support team with the exact error message and the domain affected.

Need Extra Help?

If you encounter any issues, our support team is ready to assist:

Save on Your Hosting

Ready to launch your website? Use code KB20 at checkout for 20% off your first month!
Last Updated: March 2026 | Web Hosting Support: Custom SSL certificates and troubleshooting made simple.