How to Install SSL Certificate on Your WordPress Site

If you are running an ecommerce site, accepting credit cards, or passing information that needs to be encrypted, you’ll need to install an SSL certificate on your WordPress site. Having an SSL certificate will enable HTTPS and this ensures that no information is passed in plain text. In fact, we recommend all sites utilize HTTPS, as it has a lot of additional benefits beyond security. Follow the steps below on how to install SSL on your WordPress site.

How to Install SSL Certificate

You have three different options when it comes to installing an SSL (TLS) certificate on your WordPress site. Also see information on checking your SSL certificate, renewing, and removal.

Option 1 – Install Free SSL certificate
Option 2 – Install Custom SSL certificate
Option 3 – Install SSL certificate with Cloudflare or Sucuri
Check SSL certificate
Renew SSL certificate
Remove Custom SSL certificate

Option 1 – Install Free SSL Certificate With Let’s Encrypt

Setting up SSL with our Let’s Encrypt integration is as easy as 123. Make sure your domain is pointed at Kinsta before proceeding. If you are using Cloudflare or Sucuri, skip down to Option 3.

Current Limitations

All domains/sub-domains need to be added manually on the dashboard
Limitation of 100 sub-domains
Let’s Encrypt certificates are domain validated only (they don’t have warranties)
Limitations on domains with special characters

Step 1

Select a site in MyKinsta.

Step 2

Click on “Tools” and under Enable HTTPS click on “Generate A Free HTTPS Certificate.”

Choose the free Let’s Encrypt SSL.

Step 3

In order for a certificate to be generated successfully you must have at least one live domain pointed at Kinsta via an A record. You will then have an option to choose the domains on which you want an SSL certificate installed. If your site is http://domain.com and has a redirect from www to non-www, you will still want to select both for the HTTPS redirect. Click on “Generate Certificate.” (Note: You will need to add all of your domains prior to this from the MyKinsta dashboard, including any subdomains which require SSL)

Important

Kinsta only supports A records (IPV4) at this time. If the domain of your Kinsta site has an AAAA record (IPV6), be sure to delete the AAAA record before generating an SSL certificate. If you do not remove the AAAA record, the SSL issuance process will fail.

Select domains for SSL.

And that’s it! It will take a few seconds or so to install and your site should be all secured.

Option 2 – Install Custom SSL Certificate

Step 1 – Purchase SSL Certificate

Purchase your SSL certificate from any vendor you like such as Comodo, DigiCert, GeoTrust, Thawte, or Trustwave. Kinsta supports all types of SSL certificates, including wildcard certificates.

Step 2 – Server Type

When purchasing a new SSL certificate, you are asked to provide the server type. The type of our web servers is Nginx, if that option is not available, then “Apache” or “Other” will work as well.

Step 3 – Generate CSR and Private Key

A CSR code will be needed by the SSL provider to create/sign the certificate file. For generating a CSR code and RSA key, please complete the following form: https://www.ssl.com/online-csr-and-key-generator/.

We recommend filling out every field, but at a minimum, you should fill in the following as seen in the example below:

Common name (domain name)
Email Address
Organization
City / Locality
State / County / Region
Country

Note: For the common name field, if you are generating a wildcard certificate, you will need to input your domain name like *.domain.com.

Generate CSR form

The form will generate you the private key file and the CSR. Make sure to save both of those as the certificate will be unusable without them.

CSR and private key

Step 4

Upload your CSR with your SSL provider to regenerate your SSL certificate (.cert).

Step 5

Log in to the dashboard, click on a site, go to the Tools tab and click the “Add Custom HTTPS Credentials” button to get started.

Install SSL certificate on WordPress.

Step 6

To use custom credentials you will need to have a .key and a .cert file prepared. Then click “Next.”

Custom HTTPS verification.

Step 7

You will then be able to add your private key and certificate. Note: Some customers will also want to add their intermediate certificate as well. Most SSL providers will email you a .crt file and a .ca-bundle file. Paste the contents of your .crt file in the “Certificate” section first and then the contents of the .ca-bundle file below it. You can use a text editor like Notepad or TextMate to open the certificate and bundle files. If you don’t have or know your intermediate certificate you can use a free tool like https://whatsmychaincert.com/ to generate it. Then click “Apply Certificate.”

Apply custom SSL certificate.

Option 3 – Install SSL Certificate With Cloudflare or Sucuri

Cloudflare and Sucuri are what are known as reverse-proxy services. You can think of them as a middleman. You point your DNS to them, and in turn they route your requests to Kinsta’s servers. Because of this, there are a few additional steps you need to take to ensure SSL certificates are properly installed.

For Those Using Cloudflare

Cloudflare allows two different arrangements for loading a site over HTTPS: flexible or full (or full strict).

Flexible allows an HTTP (unencrypted) connection between Cloudflare and the Kinsta servers and does not require an SSL certificate.
Full requires an HTTPS (encrypted) connection between Cloudflare and the Kinsta servers.

Here are the steps you should follow:

Step 1

In Cloudflare, click into the “Crypto” tab and turn off SSL (it’s also recommended to set Cloudflare to development mode till the SSL is ready on the Kinsta side. You can do this from the quick actions on the overview dashboard.)

Turn off SSL in Cloudflare.

Step 2

Install Let’s Encrypt or a custom SSL certificate at Kinsta via the methods above.

Step 3

Once your SSL certificate has been successfully installed at Kinsta, set the crypto level at Cloudflare to Full or Full (Strict) so that the connection is encrypted all the way from the Kinsta server to the client’s browser.

Set Cloudflare’s SSL mode to “Full”.

Step 4

Then purge the Cloudflare cache. And if you put your site into development mode, make sure to set it back to active.

Purge Cloudflare cache.

For Those Using Sucuri

You must first contact their support and have them enable the setting to “forward certificate validation.” This allows HTTPS provisioning to complete successfully. You may then install Let’s Encrypt or a custom SSL certificate via the methods above.

Check SSL Certificate

After you have installed your SSL Certificate we recommend running an SSL check to verify that everything is setup correctly. Invalid SSL Certificates can cause your visitors to be faced with the “your connection is not private” error.

Renew SSL Certificate

Follow the information regarding renewal of your SSL certificate.

Free SSL Certificates

Free SSL certificates (Let’s Encrypt) deployed via the MyKinsta dashboard are renewed automatically every 90 days. There’s nothing you need to do. However, if your site is behind a reverse-proxy such as Sucuri, you must contact their support and have them enable the setting to “forward certificate validation” which allows HTTPS renewals to complete successfully.

Custom SSL Certificates

If you have a custom SSL certificate, you’ll need to renew it with the SSL provider or domain registrar from which it was purchased. As long as it was renewed before it expires, there’s no need to re-upload it to the MyKinsta dashboard.

Force HTTPS

After installing an SSL certificate, you will have the option to “force HTTPS” in the MyKinsta dashboard. This feature allows you to automatically forward all incoming requests to HTTPS.

Force HTTPS in MyKinsta.

Our force HTTPS tool gives you two options – “force all traffic to the primary domain” and “use requested domain”. For normal WordPress sites, we recommend using the first option, which will force a 301 redirect to the HTTPS version of your canonical domain. The second option is useful for WordPress multisites which may have multiple domains assigned to the same Kinsta site.

Force HTTPS options.

Remove SSL Certificate

There might be some instances in which you need to remove an HTTPS certificate, whether it be Let’s Encrypt or your own custom SSL certificate. Perhaps you were testing an HTTPS migration or maybe you’re migrating your site to Let’s Encrypt certificates. To remove an HTTPS certificate, simply click on “Remove HTTPS Certificate” under Enable HTTPS in the Tools menu.

Remove SSL certificate in MyKinsta.

If you enjoyed this tutorial, then you’ll love our support. All Kinsta’s hosting plans include 24/7 support from our veteran WordPress developers and engineers. Chat with the same team that backs our Fortune 500 clients. Check out our plans

Name	Purpose
Cookie Settings	If you've set preferences (which cookies you accept and which you don't) we store your preferences here to make sure we don't load anything that you didn't agree to.
WordPress Cookies	WordPress sets a couple of cookies that track logged in users and store user preferences set in their WordPress user profile. These are set for members of the Kinsta website only - members of our staff.
Stripe	Stripe is our payment provider and they may set some cookies to help them with fraud prevention and other issues. This is required for our payments to work.
Affiliate cookie	This cookie contains information about the affiliate who refered a visitor. The cookie contains no information about the visitor whatsoever.
Google Analytics	Analytics help us deliver better content to our audience. We have made sure no personally identifiable information (PII) is sent by anonymizing IPs.
Google Optimize	Set and used by Google. It allows us to A/B test our content to make sure we're providing visitors with what they need most.
Newsletter Participation	If you sign up for our newsletter we'll remove the newsletter subscription box for you. This cookie has not personal data it just indicates if you have signed up.

Select	Provider	Purpose
	Twitter	Set and used by Twitter for targeting advertisements and promoting content to users who have visited kinsta.com.
	AdWords	Set and used by Google Ads for remarketing, personalization, and targeting advertisements to users who have visited kinsta.com. (Google Ads Settings)
	HubSpot and Facebook	Set by Hubspot. Used by Facebook for targeting advertisements and promoting content to users who have visited kinsta.com. Used by Hubspot to allow us to better assist visitors to kinsta.com who contact us.
	LinkedIn	Set and used by LinkedIn for targeting advertisements and promoting content to users who have visited kinsta.com.
	G2	Set and used by G2 for targeting advertisements and promoting content to users who have visited kinsta.com.
	Reddit	Set and used by Reddit for targeting advertisements and promoting content to users who have visited kinsta.com.
	Pinterest	Set and used by Pinterest for targeting advertisements and promoting content to users who have visited kinsta.com.
	Hotjar	We use Hotjar in order to better understand our users’ needs and to optimize kinsta.com.

How to Install SSL Certificate on Your WordPress Site

How to Install SSL Certificate