You’ve purchased a certificate; now it’s time to make use out of it!

Since SSL certificates contain many technical details and security measures, in order to get your website working via HTTPS, you must do the following:

• Obtain a Certificate Signing Request (CSR);
• Activate the SSL certificate using your CSR;
• Validate the domain for the activated SSL certificate;
• Install the issued SSL certificate on the hosting server.

Below, you will find detailed instructions on how to complete the aforementioned steps. Before starting the activation process, we recommend confirming with your hosting service provider that this third-party certificate installation is supported by your server.

NOTE: If you’re already a Namecheap Shared Hosting customer, installing your PositiveSSL or EssentialSSL certificate is easy. All it takes is just two clicks from your cPanel SSL plug-in. Here’s an illustrative guide on how to do this.

1. Certificate Signing Request (CSR)
2. Activation
3. Validation
4. Installation
5. Installation check
6. Managing redirects
7. Insecure content check

1. Certificate Signing Request

To get started, you will need to generate a Certificate Signing Request (CSR). This CSR contains the domain name and all the necessary information about certificate requester. It appears as a random block of code:

To obtain a CSR code, there are two ways to do so:

1. Generate the CSR code yourself via your hosting provider. This process usually takes a couple of minutes and requires that you know the name of your hosting provider’s control panel and/or web server. Depending on the type of control panel and/or web server you use, feel free to refer to our specific guides on how to generate a CSR code:
   • cPanel
   • WHM
   • Apache OpenSSL/ModSSL/Nginx/Heroku
   • IIS 7, IIS 8, IIS 10
2. Submit a CSR code request to your hosting provider’s support center. Do keep in mind that not all hosting providers provide such a service. If you host a domain name with Namecheap, however, we’ll be happy to generate a CSR code for you.

NOTE: Some hosting providers’ control panels don’t have the functionality to generate CSR codes. In these cases, feel free to use our online generator.

If you happen to face difficulties with locating your two-letter country abbreviation, you can search for it here. Now, using the online generator, fill in the fields with the requested information and click Generate. Once you’ve done this, you’ll be provided with your SSL certificate’s CSR code and matching private key. Make sure to save the private key on your computer as a text file (we recommend ANSI (ASCII) encoding format); otherwise, a certificate reissue will be necessary.

If a certificate reissue is necessary, the CSR code will be created for exactly the same domain name (subdomain name) as the one that was specified in the initial CSR code activation.

2. Activation

If you have a multi-domain SSL certificate, the activation process should not vary too much. Once you have a CSR code, you can activate the SSL certificate. Remember, purchased SSL certificates are not bound to any domain name until they are activated. To start the process, log in to your Namecheap account, navigate to the Dashboard and open the "Product List" tab on the left navigation bar, and click Activate, which is located next to your new certificate.

When the new page opens, follow the steps below in order to get your SSL certificate activated:

1. Paste the encoded CSR code into the activation box.
2. Pick one of the domain control validation (DCV) types.
3. Specify the email address where you would like your SSL certificate sent.
4. Hit the Submit button.
5. Once you have done this, you’ll be taken to the certificate management page where you can view the Certificate & Order ID, Certificate Authority's order ID, and other details of the certificate.

In case the Organization or Extended Validation certificate is already activated, you will be asked to submit company contact information:

The "Representative" section is required only for OV certificates.

NOTE: SSL Certificates cannot be issued for domain names considered unsafe by Google Safe Browsing. All unsafe domain names will automatically be removed from the Multi-Domain SSL Certificates by Comodo (now Sectigo). Check your site’s safety status here.

3. Validation

Congrats! You’ve successfully activated your SSL certificate for your domain name. Now you will need to validate it using Domain Control Validation (DCV), which confirms that you have the administrative rights and access to the domain name where the certificate was activated, e.g. Comodo (now Sectigo) Certificate Authority.

Note: Upload a validation file method will be removed for Wildcard SSLs from October 21, 2021. Learn more.

There are three ways to approve domain ownership:

1. Add CNAME record - requires you to add a specific CNAME record to your domain zone file. After choosing DNS-based validation, the CNAME record values should be retrieved from your account as well as the validation file. The record should then be added to domain zone file.
   
2. Upload validation file - requires you to upload a unique text file into a special directory on the server. After choosing the HTTP-based validation type, you will need to download the validation file straight from the certificate management page in your Namecheap account. This file must be uploaded to the following directory: http://example.com/.well-known/pki-validation/example.txt.
   
   Note: This method is not available for Wildcard SSLs.
   
   
   
3. Receive an email - requires you to choose either a generic email (admin@, administrator@, hostmaster@, postmaster@, webmaster@) or an email address retrieved from the Whois Lookup. Here you may only choose from one of the listed email addresses, without customizing. After choosing email validation, Comodo (now Sectigo) will email you a unique code that should be entered on the page provided in the same email.

If you have an OV (Organization Validation) or EV (Extended Validation) SSL certificate, you will need to complete the OV separately from the DCV, which is mentioned above. During this process, Comodo (now Sectigo) validation staff must be able to locate your company’s legal information listed, either in your country or state’s official governmental database or a trusted third-party database.

Detailed steps for OV are listed on this page while the requirements for EV are specified in this article.

NOTE: If you do not receive an approval email within 15 minutes (and have already checked your spam/junk mail folders), or the certificate has still not been issued after one hour and you have confirmed that the file or record is publicly accessible, please contact our SSL Support Team via live chat or ticketing system for further assistance.

4. Installation

After your certificate is validated, it becomes active. At this point, there is only one step left for you to complete: installing the active certificate on the server.

Make sure that you have the certificate files downloaded before proceeding with the installation. The private key, which you already saved after the CSR code generation, will also be used during the installation.

You can choose between two options on how to install your active SSL certificate:

1. Ask your hosting provider to install SSL via their support center. Please keep in mind that not all hosting providers provide such a service and may require additional installation fees. If you host a domain name with Namecheap, however, we’ll be happy to install the certificate for you. As a reminder, please ensure that your hosting provider supports third-party SSL certificates.
2. Manually install on your hosting server. In this case, you will need to know the name of your hosting provider’s control panel and/or web server. Feel free to follow your cPanel’s step-by-step installation guide here.

   Depending on the type of control panel and/or web server you use, please refer to our specific guides on how to manually install:

   • cPanel
   • WHM
   • Apache
   • Nginx
   • IIS 7, IIS 8, IIS 10
   • Exchange 2010, Exchange 2013
   • Heroku
   • EasyWP

NOTE: Please keep in mind that some hosting providers may still require a dedicated IP address for SSL installation unless SNI technology available on your server. Thus, you may need to check with your service provider on the matter.

All of Namecheap’s Shared Hosting servers have SNI technology enabled by default.

5. Installation check

Once the SSL certificate is installed on the server, it’s time to check and see if it was installed properly. Feel free to open the Decoder tool, paste in the domain name, and click the Check button.

If you see the same status as the screenshot above, your SSL certificate was properly installed. Feel free to clear the cache of your web browser and visit the website via https://. Otherwise, you can open it in browser incognito mode.

6. Managing redirects

As you can see from the steps above, your domain name will become available via the https:// connection once the certificate is properly installed on the server. Right after this occurs, you may experience a common post-installation issue which is when a “Not secure” warning message is displayed on the web page when you visit your website.

The thing about this issue is that SSL certificate installation only makes your website accessible via a secure https:// connection. In fact, it does not make it by default. Feel free to check it by manually typing your domain name with 'https://' in the beginning (e.g. https://example.com). You should notice that the warning message disappears and the green padlock is properly displayed in the browser address bar.

That’s why you can create a redirection rule on the server to make the https:// version of your website the default one. The rule should be created on the web server or in a control panel with the help of which the website is managed.

Please choose your control panel and/or web server from the list below and follow the corresponding steps in order to enable the redirection:

• cPanel
• Apache
• Nginx
• IIS

The redirection guide for WordPress panel can be found here.

Once the rule is created, your visitors will be automatically redirected to the https:// version of your site.

NOTE: The “URL redirect” option in the nameservers settings might not create the desired result. Moreover, redirect misconfiguration may take place in such case.

7. Insecure content check

Another issue that you may encounter after the successful installation is the “Mixed (insecure) content” warning message in your web browser.

The message means that there is some content of your website (e.g. images, fonts, scripts, etc.) which has been downloaded from some sort of insecure location. In other words, the content is loaded via http:// links instead of https:// ones.

Rest assured that this isn’t related to the SSL certificate itself or its installation; it’s a code debugging issue. We recommend researching it independently or contacting the responsible developer if such a case arises. Your main goal when researching is to replace the ‘http://’ protocol in the beginning of all each link with the 'https://' one.

NOTE: The workaround for solving the insecure content issue is described on the dedicated page.

• If your website is created using WordPress, there is a way to remove all the insecure requests by installing and activating the "Really Simple SSL" plug-in from the WordPress admin panel.
• In case of cPanel and Apache web server, feel free to add the following header into the very first line of a website .htaccess file:

  Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS

The list of all mixed elements can be found with the help of this online tool. Or just in your Google Chrome browser:

1. Select More Tools from the browser menu bar > Javascript console
2. Ctrl + Shift + J on https:// page (or Cmd + Opt + J for Mac)
3. Press F12 and click 'Console' on the https:// page

That's it!