CertCore

Deployment

SSL installation guide

Use this guide after CertCore has issued a certificate. It covers file selection, server configuration, reload checks, wildcard installation, and common failure modes for production SSL deployments.

Before you install

  • Certificate status must be issued.
  • Download the newest certificate archive.
  • Back up the current server certificate files.
  • Confirm you can reload the web server safely.

Archive

Choose the right files

File Use for Where it usually goes
fullchain.pem Leaf certificate plus intermediate chain. Nginx, Caddy, reverse proxies.
private.key Private key for the issued certificate. Server key path, readable only by root/web service.
certificate.crt Leaf certificate only. Apache and panels with a certificate field.
ca_bundle.crt Intermediate chain only. Apache and panels with a CA bundle field.

Linux

Nginx installation

  1. 1. Upload files: place fullchain.pem and private.key under a protected directory such as /etc/nginx/ssl/example.com/.
  2. 2. Lock down permissions: the key should not be world-readable.
sudo mkdir -p /etc/nginx/ssl/example.com
sudo cp fullchain.pem private.key /etc/nginx/ssl/example.com/
sudo chown root:root /etc/nginx/ssl/example.com/*
sudo chmod 600 /etc/nginx/ssl/example.com/private.key

3. Update the server block:

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate     /etc/nginx/ssl/example.com/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/example.com/private.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    root /var/www/example.com/public;
}

4. Test and reload:

sudo nginx -t
sudo systemctl reload nginx

Linux

Apache installation

Apache commonly uses separate certificate, key, and chain directives. Use the CertCore leaf certificate, private key, and CA bundle files. 

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/public

    SSLEngine on
    SSLCertificateFile      /etc/apache2/ssl/example.com/certificate.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/example.com/private.key
    SSLCertificateChainFile /etc/apache2/ssl/example.com/ca_bundle.crt
</VirtualHost>
sudo apachectl configtest
sudo systemctl reload apache2

Hosting panels

cPanel installation

Certificate field

Paste the full contents of certificate.crt, including BEGIN and END lines.

Private key field

Paste private.key. Keep this value private and do not send it over chat or email.

CA bundle field

Paste ca_bundle.crt when cPanel does not auto-detect the chain.

Install

Click Install Certificate, then test the domain over HTTPS in a clean browser session.

Windows

Windows IIS notes

IIS typically imports certificates as PFX. If your archive is PEM-based, convert the certificate, key, and chain into a password-protected PFX before importing it into IIS Manager. 

openssl pkcs12 -export \
  -out example.com.pfx \
  -inkey private.key \
  -in certificate.crt \
  -certfile ca_bundle.crt

Import the PFX into the Local Computer certificate store, then bind it to the site on port 443.

Wildcard

Installing wildcard certificates

A wildcard certificate for *.example.com secures first-level subdomains such as api.example.com and app.example.com. It does not secure the apex domain unless the certificate also includes example.com.

DNS first

Keep the DNS-01 TXT record available until issuance completes.

Same install path

Install wildcard files the same way as standard certificates.

SNI bindings

For multiple apps, bind the wildcard certificate to each virtual host or site.

Validation

Verify the installation

openssl s_client -connect example.com:443 -servername example.com -showcerts
curl -Iv https://example.com

Expected result

TLS handshake succeeds, the certificate common name/SAN matches the hostname, and the chain verifies.

Browser check

Open the site in a private window and inspect the certificate expiry date.

Lifecycle

Renewal process

Renew before expiry, download the new archive, replace the server files, test configuration, and reload. CertCore tracks certificate expiry and surfaces renewal activity so operators can audit what changed.

Renew in CertCore
Download archive
Replace files
Reload server

Troubleshooting

Common installation errors

Private key mismatch: the certificate and private key are not from the same issue event. Download the latest archive and reinstall the matching pair.

Incomplete chain: use fullchain.pem on Nginx or include ca_bundle.crt on Apache and hosting panels.

Wrong hostname: confirm the request hostname is included in the certificate SAN list.

Old certificate still served: reload the correct service and check load balancers, CDN edges, and duplicate virtual hosts.

Permission denied: ensure the web server can read the certificate file and the privileged service can read the private key.