This guide walks you through every step of using the Trustico® CaaS cPanel plugin to retrieve and install your SSL Certificate. Whether you are securing a single website or a Wildcard SSL Certificate covering all your subdomains, this guide covers the complete process along with answers to common questions and troubleshooting advice. Learn About The Trustico® CaaS cPanel Plugin 🔗
Before You Begin
Before using the plugin, make sure you have the following. An active Trustico® SSL Certificate order that supports Certificate as a Service (CaaS). The EAB Key ID and EAB HMAC Key provided with your order confirmation e-mail. Access to cPanel on your hosting server with the Trustico® CaaS plugin installed by your hosting provider. Discover How to Obtain Your CaaS Credentials 🔗
Selecting Your Virtual Host
After opening the plugin from the "Security" section in cPanel, you will see a dropdown labeled "Select Your Virtual Host." A virtual host is the primary hosted domain on your cPanel account. If you have multiple websites hosted on the same cPanel account, each one appears as a separate virtual host in the dropdown.
Select the virtual host you would like to secure. Three sections will appear below the dropdown showing the current SSL Certificate coverage for your selected virtual host : the Virtual Host table, the Website Domains table, and the Service Domains table.
Understanding the Coverage Tables
The plugin displays your SSL Certificate coverage using the same method cPanel uses on its own SSL/TLS Status page. Each domain name is checked against the installed SSL Certificate's Subject Alternative Names (SANs) to determine whether it is covered.
Virtual Host Table
The Virtual Host table shows the SSL Certificate currently installed on your hosted domain. It displays the SSL Certificate issuer, the expiry date with days remaining, and the overall status. If no SSL Certificate is installed, you will see "No SSL" in amber, letting you know that your website does not currently have an SSL Certificate.
Website Domains Table
The Website Domains table shows the domain names your visitors use to access your website. Each row has a checkbox allowing you to select which domain names to include on your new SSL Certificate. The Status column shows "Active" in green if the domain name is covered by the currently installed SSL Certificate, or "Inactive" in gray if it is not.
Most customers secure their website with both the root domain (example.com) and the www version (www.example.com). If your SSL Certificate license includes a Wildcard, you will also see a *.example.com entry which covers all subdomains.
Service Domains Table
The Service Domains table shows cPanel service subdomains such as cpanel.example.com, webmail.example.com, and webdisk.example.com. These are used by cPanel services rather than your website visitors. Service Domains are automatically secured when your SSL Certificate includes a Wildcard SAN or an explicit domain name covering them. You can select these if your license covers them.
Completing the Form
After selecting the domain names to include on your SSL Certificate, scroll down to the "Retrieve SSL Certificate" form and complete each field.
SSL Certificate Type
Select the SSL Certificate type that matches your Trustico® order. Four options are available : Trustico® DV SSL Certificate, Trustico® OV SSL Certificate, Sectigo DV SSL Certificate, and Sectigo OV SSL Certificate. Your EAB credentials are associated with the specific type you purchased. Selecting the wrong type will result in a registration error, so make sure the selection matches your order.
Validation Method
The Validation Method defaults to "Automatic (Recommended)" which uses HTTP-01 for standard domains and DNS-01 for Wildcard domains. You generally do not need to change this setting. If you check a Wildcard domain name in the Website Domains table, the dropdown automatically switches to "DNS-01 for All Domains" and becomes locked. A tooltip explains that Wildcard SSL Certificates require DNS-01 validation.
Choose "DNS-01 for All Domains" manually if HTTP validation is blocked by a firewall, CDN, or proxy service. DNS-01 validation works by creating temporary Domain Name System (DNS) TXT records and does not require your website to be accessible from the internet.
Processing Timeout
The Processing Timeout dropdown appears when DNS-01 validation is active. It defaults to one hour, which is sufficient for most Domain Name System (DNS) providers. DNS-01 validation requires DNS record propagation, which can take several hours in some cases. If your DNS provider is particularly slow, you can increase the timeout up to 24 hours. You can close the page during processing and return later to check the result.
EAB Credentials
Enter the EAB Key ID provided with your Trustico® order in the first credential field. This identifier links your SSL Certificate request to your purchase. Enter the EAB HMAC Key in the second field. This is a secret key that authenticates your request and should be kept confidential. The HMAC Key field is masked for security.
Submitting Your Request
Click the "Retrieve SSL Certificate" button to begin the process. The plugin validates your selections, verifies domain ownership, and starts the SSL Certificate issuance in the background. The form is replaced by the SSL Certificate Request Status section showing the progress of your request.
Monitoring Your Request
After submitting, the SSL Certificate Request Status section shows a pulsing indicator with the current step and an elapsed time counter. For HTTP-01 validation, the process typically completes in under a minute. DNS-01 validation may take several minutes or longer depending on Domain Name System (DNS) propagation.
You can close the page at any time during processing. When you return to the plugin page, it automatically detects the active request and resumes showing the progress. You can also use the Abort button to cancel an active request if needed.
When the request completes successfully, you will see a green "Complete" status with the message "SSL Certificate Installed - Automatic Reissue Management Configured." The coverage tables refresh automatically to show the updated SSL Certificate status for all domain names. Click the Dismiss button to clear the completed status.
If the request fails, the status section shows the error and a Dismiss button. You can click Show Details in the Request Details section below to view the technical log, which includes the specific error message from the Certificate Authority (CA). This information is useful for diagnosing the problem.
After Installation
Once your SSL Certificate is installed, your website immediately begins serving HTTPS. The plugin configures automatic reissue so the SSL Certificate is renewed before it expires without any action on your part.
You can return to the plugin at any time to view the current SSL Certificate status for your virtual host. The coverage tables show which domain names are secured by the installed SSL Certificate's SANs. If you need to change the domain names covered by your SSL Certificate (for example, adding the www version), you can submit a new request with the desired domain names selected.
It is important to understand that submitting a new request replaces the existing SSL Certificate on the virtual host. All domain names on the virtual host will use the new SSL Certificate. Domain names that are not included in the new SSL Certificate's SANs will show as "Inactive" in the coverage tables.
Troubleshooting
If you encounter an issue, the following guidance covers the most common problems and their solutions.
ACME Account Registration Failed
This error occurs when the EAB credentials do not match the selected SSL Certificate type. Verify that the correct type is selected in the SSL Certificate Type dropdown. For example, if you purchased a Sectigo DV SSL Certificate, make sure "Sectigo DV SSL Certificate" is selected rather than "Trustico® DV SSL Certificate." Also verify that the EAB Key ID and HMAC Key are entered correctly with no extra spaces.
Domain Validation Failed
HTTP-01 validation requires the domain to resolve to the hosting server and the web root to be accessible from the internet. If your domain is behind a CDN, firewall, or proxy that blocks validation requests, switch to "DNS-01 for All Domains" in the Validation Method dropdown.
DNS-01 validation requires the server to manage the Domain Name System (DNS) zone for the domain. If the Domain Name System (DNS) zone is managed externally (such as at a domain registrar or a service like Cloudflare), DNS-01 validation will fail because the plugin cannot create the required TXT records in the zone.
Processing Timeout
If a DNS-01 request times out, the background worker may still be running. Reload the page and the plugin will detect the active request and resume showing progress. You can also increase the Processing Timeout to allow more time for Domain Name System (DNS) propagation. If the request has genuinely failed, the status will show the error and you can dismiss it and try again.
SSL Certificate Does Not Cover Expected Domains
If a domain shows "Inactive" after installation, it means the SSL Certificate's Subject Alternative Names (SANs) do not include that domain name. A single site SSL Certificate covers only the root domain. To cover subdomains such as www or mail, you need a Wildcard SSL Certificate or a multi-domain SSL Certificate that includes those names. Submit a new request with the required domain names checked in the Website Domains table.
Cooldown Period
After issuing an SSL Certificate, a short cooldown period prevents duplicate requests and protects against Certificate Authority (CA) rate limits. If a cooldown message appears, wait the indicated time before trying again.
Frequently Asked Questions
The following questions and answers cover the most common topics customers ask about when using the Trustico® CaaS cPanel plugin.
Understanding EAB Key ID and HMAC Key Credentials
External Account Binding (EAB) credentials are provided when you purchase an SSL Certificate license from Trustico® at shop.trustico.com. The EAB Key ID identifies your purchase and the HMAC Key authenticates your request. Both are required to retrieve the SSL Certificate through the plugin. Discover How to Obtain Your CaaS Credentials 🔗
Reusing EAB Credentials for Multiple Requests
EAB credentials can be used to issue and renew the SSL Certificate for the licensed domain names. The automatic reissue process uses the same credentials without requiring you to re-enter them.
HTTP-01 Compared to DNS-01 Validation
HTTP-01 validation places a temporary file on the web server to prove domain control. It is fast but requires the domain to resolve to the server and the web root to be accessible. DNS-01 validation creates a temporary Domain Name System (DNS) TXT record to prove domain control. It is required for Wildcard SSL Certificates and works even when the domain is behind a CDN or firewall, as long as the server manages the Domain Name System (DNS) zone.
Expected Issuance Time
HTTP-01 validation typically completes in under a minute. DNS-01 validation usually completes within a few minutes but can take longer depending on the DNS provider's propagation time. You can close the page and return later to check the result.
Impact on Your Existing SSL Certificate
When a new SSL Certificate is installed, it replaces the existing SSL Certificate on the virtual host. All domain names on the virtual host will use the new SSL Certificate. Domain names that were covered by the old SSL Certificate but are not included in the new SSL Certificate's SANs will show as "Inactive" in the coverage tables.
Understanding Service Domains
Service Domains are cPanel service subdomains such as cpanel.example.com, webmail.example.com, and webdisk.example.com. These are automatically secured when the installed SSL Certificate covers them through a Wildcard SAN or an explicit domain name. They can also be selected explicitly if your SSL Certificate license includes them.
SSL Certificate Renewal
SSL Certificates installed through the Trustico® CaaS plugin are renewed automatically before they expire. No manual action is required. If your SSL Certificate license has expired, a renewal notice will appear with a link to purchase a new license at shop.trustico.com.
My Hosting Provider Does Not Have the Plugin Installed
Direct your hosting provider to the installation guide for the Trustico® CaaS cPanel plugin. Installation requires a single script run as root via Secure Shell (SSH) and makes the plugin available to every cPanel user on the server. If you manage your own cPanel server, you can install the plugin yourself. View Our CaaS cPanel Plugin Installation Guide 🔗
