> ## Documentation Index
> Fetch the complete documentation index at: https://help.freakhosting.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to Install Custom SSL & Troubleshoot Issues

> Install third-party SSL certificates and troubleshoot common HTTPS issues like mixed content and chain errors in the FREAKHOSTING Web Hosting Control Panel.

## Custom SSL Certificates and Troubleshooting

While FREAKHOSTING provides **free SSL certificates** through Let's Encrypt for every website, some organizations require a certificate from a specific certificate authority for compliance, extended validation (EV), organization validation (OV), or wildcard coverage. The Web Hosting Control Panel at [web.freakhosting.com](https://web.freakhosting.com) allows you to install these custom certificates and manage them alongside your free certificates.

This guide walks you through installing custom SSL certificates step by step (with real examples of what goes in each field), renewing them manually, and troubleshooting the most common SSL issues you are likely to run into.

<CardGroup cols={2}>
  <Card title="Difficulty" icon="gauge">
    Intermediate
  </Card>

  <Card title="Time" icon="clock">
    10 Minutes
  </Card>
</CardGroup>

<Info>
  If you are looking for general SSL management, Force HTTPS settings, or information about the free Let's Encrypt certificates, see our core guide: [How to Manage SSL Certificates and HTTPS](/portals/web-panel/how-to-manage-ssl-certificates-and-https).
</Info>

***

## When You Need a Custom SSL Certificate

The free Let's Encrypt certificates are ideal for most websites, but there are situations where a custom certificate from a third-party authority is the better choice:

<CardGroup cols={2}>
  <Card title="Extended Validation (EV)" icon="building">
    EV certificates display your organization's verified name in browser security indicators. This is often required by financial institutions, e-commerce platforms, and enterprise businesses to build maximum visitor trust.
  </Card>

  <Card title="Organization Validation (OV)" icon="id-badge">
    OV certificates verify your organization's identity and are commonly required for corporate websites, government portals, and applications that handle sensitive business data.
  </Card>

  <Card title="Wildcard Certificates" icon="asterisk">
    A wildcard certificate secures your main domain and all its subdomains with a single certificate (for example, `*.yourdomain.com` covers `shop.yourdomain.com`, `blog.yourdomain.com`, `api.yourdomain.com`, and any other subdomain). This is useful when you manage many subdomains and want simplified certificate management.
  </Card>

  <Card title="Compliance Requirements" icon="clipboard-check">
    Some industries, auditors, or payment processors require certificates from specific certificate authorities (such as DigiCert, Comodo, or Sectigo) rather than free automated providers. If your auditor says "you need a certificate from an approved CA," this is the path to take.
  </Card>
</CardGroup>

***

## Installing a Custom SSL Certificate

<Steps>
  <Step title="Obtain Your Certificate Files">
    Purchase or generate an SSL certificate from your preferred certificate authority. After they validate your domain (and optionally your organization), you will receive three pieces of information that you need to install the certificate:

    | File                              | What It Is                                                                                                                                                  | What It Looks Like                                                                                                              |
    | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
    | **Certificate (CRT)**             | The main SSL certificate issued for your domain. Your CA provides this as a `.crt` or `.pem` file.                                                          | Starts with `-----BEGIN CERTIFICATE-----` and ends with `-----END CERTIFICATE-----`. A block of base64-encoded text in between. |
    | **Private Key (KEY)**             | The secret key generated when you created your Certificate Signing Request (CSR). This must match the certificate exactly.                                  | Starts with `-----BEGIN PRIVATE KEY-----` (or `-----BEGIN RSA PRIVATE KEY-----`) and ends with the corresponding `END` line.    |
    | **Certificate Chain / CA Bundle** | The intermediate and root certificates from your CA. This lets browsers verify the full trust chain from your certificate back to a trusted root authority. | One or more certificate blocks stacked together, each with their own `BEGIN` and `END` lines.                                   |

    <Warning>
      Keep your private key file secure and never share it publicly. Anyone with access to your private key can impersonate your website's SSL certificate. If you think your private key has been compromised, revoke the certificate with your CA immediately and generate a new one.
    </Warning>
  </Step>

  <Step title="Log In to the Control Panel">
    Open your browser and go to [web.freakhosting.com](https://web.freakhosting.com). Log in with your credentials to access the Web Hosting Control Panel dashboard.
  </Step>

  <Step title="Select Your Website and Open the Security Tab">
    From the dashboard, click on the website you want to install the custom certificate on. Then click the **Security** tab in the top navigation bar. You will see the SSL certificates page with the heading "Security" and the **SSL certificates** section in the left sidebar.
  </Step>

  <Step title="Click Install Custom SSL">
    Click the **Install custom SSL** button located near the top of the SSL certificates section. This opens the custom certificate installation form with fields for each piece of your certificate.
  </Step>

  <Step title="Paste Your Certificate Details Into Each Field">
    The installation form has three fields. Here is exactly what to paste into each one:

    **Certificate (CRT) field** -- Open your `.crt` file in a text editor and copy everything, including the header and footer lines:

    ```
    -----BEGIN CERTIFICATE-----
    MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQEL
    BQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5
    ... (your certificate data) ...
    -----END CERTIFICATE-----
    ```

    **Private Key (KEY) field** -- Open your `.key` file and copy everything:

    ```
    -----BEGIN PRIVATE KEY-----
    MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7o4qne60TB3pq
    ... (your private key data) ...
    -----END PRIVATE KEY-----
    ```

    **Certificate Chain / CA Bundle field** -- Open your CA bundle file and copy all certificate blocks. If your provider gave you separate intermediate and root files, paste them in order with the intermediate first and the root last:

    ```
    -----BEGIN CERTIFICATE-----
    (intermediate certificate data)
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    (root certificate data)
    -----END CERTIFICATE-----
    ```

    <Tip>
      Make sure you copy the **entire** contents of each file, including the `-----BEGIN` and `-----END` lines. A common mistake is accidentally leaving out the first or last line when copying. If any of those header/footer lines are missing, the installation will fail.
    </Tip>
  </Step>

  <Step title="Save and Install">
    Review the information you entered, then click the button to install the certificate. The control panel will validate that the private key matches the certificate and that the chain is complete. If everything checks out, your custom certificate is applied to your domain immediately.
  </Step>
</Steps>

<Note>
  Make sure the private key matches the certificate you are installing. If the private key does not correspond to the certificate (for example, if you generated a new CSR but are using an old key), the installation will fail with a validation error. Your certificate authority's documentation will explain how to correctly generate and pair these files.
</Note>

<Info>
  Custom SSL certificates will appear in the SSL certificates table alongside your Let's Encrypt certificates. The **Certificate** column will show the name of the issuing authority (such as DigiCert or Sectigo) instead of Let's Encrypt, making it easy to tell them apart.
</Info>

***

## Manual Renewal for Custom Certificates

Custom SSL certificates from third-party providers are **not renewed automatically** by the hosting system. You are responsible for renewing them before they expire. The expiry date is displayed on the **Security** tab in the SSL certificates table. When a custom certificate expires, the status badge changes from green **Active** to red **Expired**, and your visitors will start seeing browser security warnings.

<Steps>
  <Step title="Renew with Your Certificate Authority">
    Log in to your certificate provider's website (DigiCert, Comodo, Sectigo, etc.) and renew or reissue your SSL certificate. Do this **before** the expiry date shown on the Security tab. Most providers allow you to renew up to 30 days early without losing any remaining time.
  </Step>

  <Step title="Download the New Certificate Files">
    After renewal, download the new certificate file (CRT), private key (if you regenerated the CSR), and certificate chain (CA bundle) from your provider.
  </Step>

  <Step title="Install the Renewed Certificate">
    Go to the **Security** tab in the control panel and click **Install custom SSL**. Paste the new certificate details into the same three fields (CRT, KEY, CA Bundle) and save. The new certificate replaces the expiring one.
  </Step>
</Steps>

<Tip>
  Set a calendar reminder for **two weeks before** your custom certificate's expiry date. This gives you plenty of time to complete the renewal process and avoid any interruption to your website's HTTPS connection. Waiting until the last day is risky because CA validation can sometimes take a few business days.
</Tip>

***

## Troubleshooting Common SSL Issues

<AccordionGroup>
  <Accordion title="Visitors see 'Your connection is not private' in Chrome">
    This is the most alarming SSL error your visitors can encounter. Chrome displays a full-page warning with a red triangle and the message "Your connection is not private," along with the error code `NET::ERR_CERT_DATE_INVALID` or similar. Here is what causes it and what to do:

    * **Expired certificate:** Check the Security tab. If you see a red **Expired** badge, your certificate has passed its expiry date. For Let's Encrypt, verify your DNS is still pointed at FREAKHOSTING and wait for automatic re-issuance. For custom certificates, renew with your CA and reinstall.
    * **Certificate not yet issued:** If you just added a domain, the Let's Encrypt certificate may still be provisioning. Wait 15 to 30 minutes and check again.
    * **Wrong domain:** The certificate might cover `yourdomain.com` but not `www.yourdomain.com` (or vice versa). Make sure both domain variations are added under the Domains tab so each gets its own certificate.
    * **Clock issues:** Rarely, a visitor's computer clock is set to the wrong date, which makes valid certificates appear expired. This is on the visitor's end, not yours.
  </Accordion>

  <Accordion title="SSL certificate was not issued automatically">
    The most common reason for this is that your domain's DNS is not pointed to the FREAKHOSTING nameservers. Let's Encrypt needs to verify domain ownership through DNS, and this only works when your domain is using the correct nameservers.

    **What to check:**

    1. Log in to your domain registrar (where you bought the domain) and verify that your nameservers are set to the ones provided by FREAKHOSTING.
    2. Make sure there are no conflicting DNS records (like a CNAME or A record pointing elsewhere).
    3. After updating your DNS, allow up to 24 hours for propagation.
    4. Check the Security tab again. The certificate should appear with a green Active badge once DNS resolves correctly.
  </Accordion>

  <Accordion title="My SSL certificate shows as Expired (red badge)">
    If a **Let's Encrypt** certificate shows the red Expired badge, automatic renewal has failed. This typically happens when:

    * DNS records have been changed and the domain is no longer pointing to your FREAKHOSTING hosting.
    * The domain was temporarily pointed to another service (like a staging server or CDN) and was not pointed back in time.
    * There was a temporary DNS resolution issue.

    **Fix:** Verify your DNS settings and make sure your domain resolves to your FREAKHOSTING server. Once DNS is correct, the system will automatically attempt to issue a new certificate. If the issue persists after 24 hours, contact our support team.

    If a **custom certificate** shows as Expired, you need to renew with your certificate authority and reinstall the new certificate using the installation steps above. There is no automatic renewal for custom certificates.
  </Accordion>

  <Accordion title="Browser shows 'Not Secure' warning despite having an Active SSL">
    This usually indicates a **mixed content** issue. Your website loads over HTTPS, but some resources on the page (like images, scripts, or stylesheets) are still being pulled over plain HTTP. Browsers downgrade the security indicator because the page is not fully encrypted.

    **How to find and fix mixed content:**

    1. Open your website in Chrome and press `F12` to open Developer Tools.
    2. Click the **Console** tab. Mixed content warnings will appear as yellow or red messages showing exactly which URLs are loading over HTTP.
    3. Update those resource URLs in your website's code or CMS settings to use `https://` instead of `http://`. Often it is as simple as changing `http://yourdomain.com/images/logo.png` to `https://yourdomain.com/images/logo.png`.
    4. In WordPress, you can use a plugin like Really Simple SSL to automatically detect and fix mixed content issues across your entire site.
  </Accordion>

  <Accordion title="Force HTTPS is enabled but site still loads over HTTP">
    Try these steps in order:

    1. **Clear your browser cache** and try again. Browsers aggressively cache redirects, and you might be seeing a stale response.
    2. **Test in a private/incognito window** to rule out caching entirely.
    3. **Check the certificate status** on the Security tab. The Force HTTPS redirect cannot work properly without a valid, active certificate. If the badge is red, fix the certificate first.
    4. **Verify you enabled Force HTTPS for the correct domain.** If you have both `yourdomain.com` and `www.yourdomain.com` in the table, make sure the toggle is enabled on the specific domain your visitors are accessing.
  </Accordion>

  <Accordion title="Custom SSL installation fails with a validation error">
    Double-check the following common causes:

    * **Private key mismatch:** The private key must be the exact one that was generated along with the Certificate Signing Request (CSR) for that specific certificate. If you generated a new CSR during renewal, you need the new private key that came with it, not the old one.
    * **Missing certificate chain:** Make sure you are pasting the full CA bundle (intermediate certificates) from your certificate authority into the Certificate Chain field. Missing chain certificates will cause a validation error. Your CA's download page usually provides the bundle as a separate file.
    * **Incomplete copy/paste:** A very common mistake is accidentally cutting off the `-----BEGIN CERTIFICATE-----` or `-----END CERTIFICATE-----` lines when copying. Make sure each field includes the full contents with all header and footer lines.
    * **Wrong file format:** The control panel expects PEM-encoded certificates (the text-based format with BEGIN/END headers). If your CA provided a binary DER format (`.der` or `.cer`), you will need to convert it to PEM first. Your CA's documentation will have conversion instructions, or you can use an online PEM converter.
    * **Expired certificate:** Double-check that the certificate you are trying to install has not already expired. Check the validity dates in your certificate files before pasting them in.
  </Accordion>

  <Accordion title="SSL works on the main domain but not on www (or vice versa)">
    This happens because `yourdomain.com` and `www.yourdomain.com` are treated as separate domains, and each needs its own SSL certificate entry.

    **For Let's Encrypt (free) certificates:**

    1. Go to the **Domains** tab for your website in the control panel.
    2. Make sure both `yourdomain.com` and `www.yourdomain.com` are listed as domains.
    3. If one is missing, add it. A Let's Encrypt certificate will be automatically provisioned for the new domain within a few minutes.
    4. Check the Security tab to confirm both domains show a green Active badge.

    **For custom certificates:**
    Make sure your certificate covers both domain variations. If you purchased a certificate only for `yourdomain.com`, it will not work for `www.yourdomain.com`. You can either purchase a certificate that includes both names as Subject Alternative Names (SANs), or use a wildcard certificate (`*.yourdomain.com`) which covers all subdomains including `www`.
  </Accordion>

  <Accordion title="I see 'ERR_SSL_PROTOCOL_ERROR' or 'SSL handshake failed'">
    This error usually means the browser and server could not agree on how to establish a secure connection. Common causes include:

    * **Certificate not yet fully installed:** If you just installed or renewed a certificate, wait a few minutes for the change to propagate across the server.
    * **Incorrect certificate chain order:** Some servers are particular about the order of certificates in the CA bundle. Try arranging them with your domain certificate first, intermediate certificates next, and root certificate last.
    * **Browser or network issue:** Try a different browser or device. Corporate firewalls and antivirus programs sometimes interfere with SSL connections.

    If the error persists after checking these items, contact our support team with the exact error message and the domain affected.
  </Accordion>
</AccordionGroup>

***

<Note>
  ### Need Extra Help?

  If you encounter any issues, our support team is ready to assist:

  * **Live Chat:** Quick assistance via our website.
  * **Support Ticket:** [Open a Ticket](https://freakhosting.com/clientarea/submitticket.php)
  * **Discord:** [Join our Community](https://discord.gg/freakhosting)
  * **Email:** [support@freakhosting.com](mailto:support@freakhosting.com)
</Note>

<Tip>
  ### Save on Your Hosting

  Ready to launch your website? Use code **KB20** at checkout for **20% off** your first month!
</Tip>

***

<div align="center">
  **Last Updated:** March 2026 | **Web Hosting Support:** Custom SSL certificates and troubleshooting made simple.
</div>
