Trustico® Certificate as a Service (CaaS) cPanel Plugin

Managing SSL Certificates on a shared hosting server has traditionally meant dealing with Certificate Signing Request (CSR) generation, Private Key management, manual file uploads, and the constant risk of forgetting to reissue before expiry. For the millions of websites running on cPanel-powered hosting, Trustico® has built something that eliminates all of that complexity.

The Trustico® Certificate as a Service (CaaS) cPanel plugin brings automated SSL Certificate retrieval, installation, and reissue directly into the cPanel dashboard - no command line, no manual steps, and no expiry anxiety. Learn About Certificate as a Service (CaaS) 🔗

This plugin is designed for website owners who want commercial SSL Certificate protection without the technical overhead. It works with both Trustico® branded and Sectigo branded SSL Certificates, supports single domain and Wildcard SSL Certificates, and once configured, handles every future reissue automatically. The entire process, from entering your credentials to serving HTTPS on your domain, takes just minutes.

Understanding the Trustico® Certificate as a Service (CaaS) cPanel Plugin

The Trustico® Certificate as a Service (CaaS) cPanel plugin is a server-side extension that integrates directly into the cPanel control panel. Once your hosting provider has installed it on their server, it appears under Security in your cPanel navigation as "Trustico® SSL Certificates" - right alongside cPanel's own built-in security tools.

It looks and behaves like a native part of cPanel because it uses the same design language, headers, and navigation patterns that cPanel users are already familiar with.

The plugin connects your existing Trustico® SSL Certificate order to your cPanel hosting environment using the Automatic Certificate Management Environment (ACME) protocol with External Account Binding (EAB) credentials. When you purchase an SSL Certificate through Trustico® you receive a set of External Account Binding (EAB) credentials, specifically a Key ID and an HMAC Key.

These two values are everything the plugin needs to retrieve, install, and manage your SSL Certificate. You simply paste them into the plugin interface, select your domain, and the plugin handles the rest. Discover How to Obtain Your Certificate as a Service (CaaS) Credentials 🔗

Why Commercial SSL Certificates Outperform Free Alternatives

Understanding why commercial SSL Certificates from a trusted Certificate Authority (CA) provide advantages that free providers cannot match is worth covering before looking at how the plugin works. Free SSL Certificate providers offer basic encryption, but encryption alone is only part of what an SSL Certificate delivers.

Commercial SSL Certificates issued through Trustico® come with warranty protection that covers relying parties in the event of a misissuance. They are backed by Sectigo, one of the largest and most established Certificate Authorities (CAs) in the world, with root Certificates embedded in virtually every browser, device, and operating system.

This level of ubiquity means your website will be trusted by visitors regardless of which device or browser they use. Explore SSL Certificate Ubiquity and Browser Compatibility 🔗

Free SSL Certificate providers typically offer only Domain Validation (DV) SSL Certificates with no identity verification, no warranty coverage, and limited support when things go wrong. They often require technical knowledge to configure and maintain, and if your automation breaks, there is no support team to help you recover.

With Trustico® SSL Certificates, you have access to Domain Validation (DV) and Organization Validation (OV) products, warranty protection, and the backing of a provider that has been securing websites for over two decades.

Search engines also factor trust signals into their ranking algorithms. While any valid SSL Certificate provides the baseline HTTPS signal, the trust chain behind your SSL Certificate, the Certificate Authority (CA) that issued it, and the validation level all contribute to how search engines and browsers evaluate your website's credibility. Learn About How SSL Certificates Impact Search Engine Rankings 🔗

How the Plugin Works

The customer experience has been designed to be as straightforward as possible. Everything happens within the familiar cPanel interface, and no technical knowledge beyond basic cPanel navigation is required.

Selecting Your Virtual Host

When you open the plugin, the first screen presents a dropdown labeled "Select Your Virtual Host." A virtual host is the primary hosted domain on your cPanel account. If you have multiple websites hosted on the same account, each one appears as a separate virtual host in the dropdown.

Once you select a virtual host, three coverage tables appear showing the current SSL Certificate status for that domain.

Understanding the Coverage Tables

The plugin displays your SSL Certificate coverage using the same method cPanel uses on its own SSL/TLS Status page. Each domain name is checked against the installed SSL Certificate's Subject Alternative Names (SANs) to determine whether it is covered.

The Virtual Host Status table shows the SSL Certificate currently installed on your hosted domain, including the issuer, the expiry date with days remaining, and the overall status.

The Website Domains table shows the domain names your visitors use to access your website. Each row has a checkbox allowing you to select which domain names to include on your new SSL Certificate. This includes the base domain, the www version, and the Wildcard entry if available.

The Service Domains table shows cPanel service subdomains such as cpanel, webmail, webdisk, cpcontacts, cpcalendars, and autodiscover. These are automatically secured when your SSL Certificate includes a Wildcard Subject Alternative Name (SAN).

The plugin uses six distinct status labels to give you a clear picture at a glance. Domains with active SSL Certificates that have more than 30 days remaining show a green "Active" label. Those with seven to 29 days remaining display an amber "Renew Soon" label. Domains within seven days of expiry are highlighted in red with an "Expiring" label, and those that have already expired show a red "Expired" label.

Any domain not covered by the installed SSL Certificate shows a gray "Inactive" label, and any virtual host without an SSL Certificate installed shows an amber "No SSL" label.

Retrieving and Installing Your SSL Certificate

Below the coverage tables is the "Retrieve SSL Certificate" form. The process begins with selecting your SSL Certificate Type from a dropdown menu. The plugin supports four products : Trustico® Domain Validation (DV) SSL Certificate, Trustico® Organization Validation (OV) SSL Certificate, Sectigo Domain Validation (DV) SSL Certificate, and Sectigo Organization Validation (OV) SSL Certificate.

All four products are either issued or powered by Sectigo as the underlying Certificate Authority (CA), with the difference being the branding and the Automatic Certificate Management Environment (ACME) server endpoint used.

A Validation Method dropdown lets you choose between "Automatic (Recommended)" and "DNS-01 for All Domains." The automatic option uses HTTP-01 for standard domains and DNS-01 for Wildcard domains. If you select a Wildcard domain name in the coverage tables, the dropdown automatically switches to "DNS-01 for All Domains" and locks.

A Processing Timeout dropdown controls how long the background worker will wait for the Certificate Authority (CA) to complete validation. Options range from 15 minutes to 24 hours, with 24 hours as the recommended default. DNS-01 validation typically completes within a few minutes, but the generous default ensures the request is not terminated prematurely if the Certificate Authority (CA) is experiencing delays.

You then enter your External Account Binding (EAB) Key ID and External Account Binding (EAB) HMAC Key - the two credentials provided with your Trustico® order. The HMAC Key field is displayed as a password field for security purposes.

An SSL Certificate Retrieval dropdown offers two options. "Standard Issuance (Recommended)" reinstalls your existing SSL Certificate if it is still valid from a previous retrieval. The plugin stores and manages your SSL Certificate independently of cPanel, including automatic reissue before expiry.

Select "Force Issuance" only if you require a completely new SSL Certificate and Private Key from the Certificate Authority (CA). If your domain selection has changed, a new SSL Certificate is retrieved automatically regardless of this setting.

A cPanel AutoSSL dropdown defaults to "Enable Trustico® CaaS Primarily (Recommended)." This sets your Trustico® Certificate as a Service (CaaS) SSL Certificate as the primary SSL Certificate for your virtual host and instructs cPanel to disable AutoSSL for the virtual host domains.

This prevents cPanel's built-in AutoSSL from automatically overwriting your paid SSL Certificate with a free alternative. The exclusion is persistent and can be reversed from the cPanel SSL/TLS Status page.

Once you have completed the form, you click "Retrieve SSL Certificate" and the plugin takes over. Discover External Account Binding (EAB) Credentials 🔗

Behind the scenes, the plugin performs a complete automated sequence. It registers with the appropriate Automatic Certificate Management Environment (ACME) server using your External Account Binding (EAB) credentials and performs domain validation.

For HTTP-01 validation, it places a challenge file in your webroot that the Certificate Authority (CA) verifies. For DNS-01 validation, it creates temporary TXT records in your domain's Domain Name System (DNS) zone via cPanel's Domain Name System (DNS) management.

It then retrieves the signed SSL Certificate and installs the SSL Certificate along with the Private Key and Certificate Authority (CA) bundle directly into cPanel's SSL management system. Your domain immediately begins serving HTTPS with the new SSL Certificate.

During processing, you see a progress indicator showing the current step and an elapsed time counter. When complete, a green success message confirms the installation. A "Show Details" toggle reveals a technical log of what happened during the process.

If anything goes wrong, clear error messages explain the issue - whether it is invalid External Account Binding (EAB) credentials, a webroot permission problem, or the Automatic Certificate Management Environment (ACME) server being temporarily unreachable.

Automatic Reissue - Set It and Forget It

This is where the plugin truly shines compared to manual SSL Certificate management. After successfully installing an SSL Certificate, the plugin configures an automated reissue system that monitors the SSL Certificate's expiry date. When the SSL Certificate approaches its reissue window, it is automatically reissued using the same process and reinstalled into cPanel.

You do not receive expiry warnings because you do not need them - the reissue happens before the SSL Certificate ever gets close to expiring.

Automatic reissue is particularly valuable as the industry moves towards shorter SSL Certificate validity periods. The Certification Authority/Browser (CA/B) Forum has mandated progressive reductions, with maximum validity periods decreasing to 200 days from March 2026, then to 100 days, and eventually to just 47 days.

With the Trustico® Certificate as a Service (CaaS) cPanel plugin handling reissue automatically, these shorter validity periods become entirely transparent to you as a website owner. Explore Traditional SSL Certificates vs Certificate as a Service (CaaS) 🔗

Reissuing an SSL Certificate

If you need to reissue an SSL Certificate - whether because you have new External Account Binding (EAB) credentials, want to switch to a different SSL Certificate type, or your Private Key has been compromised - the plugin provides a "Force Issuance" option in the SSL Certificate Retrieval dropdown.

Select "Force Issuance," enter your credentials, and click "Retrieve SSL Certificate." The plugin retrieves a completely new SSL Certificate and Private Key from the Certificate Authority (CA), replacing the existing one.

The automated reissue configuration is updated at the same time, so the new SSL Certificate will continue to be managed automatically going forward. Learn About How to Reissue Your SSL Certificate 🔗

Wildcard and Multi-Domain SSL Certificate Support

The plugin supports Wildcard SSL Certificates for customers who need to secure multiple subdomains under a single domain. A Wildcard SSL Certificate for *.example.com covers all subdomains - such as www.example.com, mail.example.com, shop.example.com, and any other subdomain - under a single SSL Certificate. Learn About Wildcard SSL Certificates 🔗

It is important to understand that a Wildcard SSL Certificate covers subdomains only. The wildcard pattern *.example.com does not cover the base domain (example.com) itself. To secure the base domain alongside the wildcard, it needs to be included as a separate Subject Alternative Name (SAN) on the same SSL Certificate.

Trustico® generally bundles both together when you purchase a Wildcard SSL Certificate, so your licensed domain names will typically authorize issuance for both *.example.com and example.com. This means you get a single SSL Certificate that protects your base domain and every subdomain - which is what most website owners need.

When selecting domain coverage in the plugin, the Website Domains table shows all available domain names with checkboxes. You simply check the domains you want included on your SSL Certificate. If you check a Wildcard entry, the Validation Method automatically switches to DNS-01. Learn About Multi-Domain SSL Certificates 🔗

How Wildcard Validation Differs

Standard single domain SSL Certificates use HTTP-01 validation, where the Certificate Authority (CA) verifies domain control by checking for a challenge file placed in your webroot. Wildcard SSL Certificates require a different approach called DNS-01 validation, where the Certificate Authority (CA) verifies domain control by checking for a temporary TXT record in your domain's Domain Name System (DNS) zone.

The plugin manages this entirely for you. When you select a Wildcard domain name, the plugin verifies that the Domain Name System (DNS) zone for your domain is managed by the same cPanel server. It then deploys a hook script that creates and removes the required _acme-challenge TXT records automatically via cPanel's Domain Name System (DNS) management, and issues the SSL Certificate using DNS-01 validation.

The resulting SSL Certificate is installed into cPanel and automatically serves all matching domains through cPanel's Server Name Indication (SNI) system - no separate installation per subdomain is required.

When the Wildcard option is not selected, the plugin continues to use the standard HTTP-01 validation method exactly as before. Nothing changes for customers who only need single domain SSL Certificates.

Security Built Into Every Step

The plugin has been designed with security as a priority throughout. Your External Account Binding (EAB) credentials are handled carefully - the HMAC Key is displayed as a masked password field in the interface, credentials are passed via environment variables rather than command-line arguments (which could be visible in process listings), and they are cleared from memory immediately after use.

All state-changing operations are protected by Cross-Site Request Forgery (CSRF) validation using cPanel session tokens. Every input is validated before processing, including verification that the selected domain belongs to your cPanel account, that External Account Binding (EAB) credentials match the expected format, and that domain names do not contain path traversal characters.

A rate limiter enforces a five-minute cooldown between SSL Certificate operations per domain, preventing accidental or malicious overuse of Certificate Authority (CA) rate limits. File locks prevent two simultaneous SSL Certificate operations for the same domain.

Any logs or output displayed to you through the "Show Details" view are sanitized to remove server paths, IP addresses, Automatic Certificate Management Environment (ACME) account identifiers, and External Account Binding (EAB) credential values. Server-side errors are logged separately with timestamps in Coordinated Universal Time (UTC), automatic rotation at one megabyte, and file permissions restricted to the account owner only.

Importantly, the plugin runs entirely with your cPanel user permissions. It does not require root access, does not run as a privileged system process, and does not affect any other SSL Certificates on the server. Each cPanel user's SSL Certificate management data is stored in a dedicated directory under their home directory, completely isolated from other accounts.

What the Plugin Does Not Require

Part of what makes this plugin compelling is what it eliminates from the traditional SSL Certificate workflow. You do not need SSH (Secure Shell) access or command-line knowledge. You do not need to generate a Certificate Signing Request (CSR) manually. You do not need to paste SSL Certificate text, handle Private Key files, or install Certificate Authority (CA) bundles separately.

You do not need a dedicated IP address - the plugin works with Server Name Indication (SNI), which is the standard for modern shared hosting environments. Learn About Certificate Signing Requests (CSR) 🔗

You also do not need to worry about reissue timing, expiry dates, or manual reinstallation. The plugin creates and maintains its own reissue schedule independently, checking automatically and reissuing when the time comes.

For Hosting Companies and Server Administrators

Installing the plugin on a cPanel server is a one-time operation performed by the server administrator via SSH (Secure Shell) as root. A single installation script downloads and verifies the Automatic Certificate Management Environment (ACME) client using SHA-256 checksum verification, copies the plugin files into the cPanel theme directory, registers the plugin with cPanel's Feature Manager, and rebuilds the icon sprites.

Once installed, every cPanel user on the server automatically sees "Trustico® SSL Certificates" under the Security section in their dashboard.

An uninstall script cleanly reverses the process. Per-user data, including installed SSL Certificates and reissue configurations, is preserved separately and can be cleaned up on a per-user basis if needed. The plugin is compatible with cPanel's Jupiter theme and supports alternative themes using the installer's --theme flag. View Our Installation Guide 🔗

The Technology Behind the Plugin

Understanding the underlying technology helps explain why this approach to SSL Certificate management is both reliable and future-proof.

The Automatic Certificate Management Environment (ACME) Protocol

The Automatic Certificate Management Environment (ACME) protocol, defined in RFC 8555, is the industry-standard protocol for automated SSL Certificate management. It provides a structured way for software to request, validate, and retrieve SSL Certificates from a Certificate Authority (CA) without human intervention.

The plugin uses the Automatic Certificate Management Environment (ACME) protocol with External Account Binding (EAB), which links your pre-purchased Trustico® order to the Automatic Certificate Management Environment (ACME) account through your Key ID and HMAC Key credentials.

This is what differentiates commercial Automatic Certificate Management Environment (ACME) based SSL Certificate management from free providers - your External Account Binding (EAB) credentials represent a paid, supported SSL Certificate product with full warranty protection. Learn About The Automatic Certificate Management Environment (ACME) Protocol 🔗

SSL Certificate Key Types

The plugin reads your cPanel key type preference to determine whether to generate RSA or Elliptic Curve Cryptography (ECC) key pairs for your SSL Certificate. If no preference is set, it defaults to RSA-2048, which provides broad compatibility across all servers and clients.

Customers who prefer Elliptic Curve Cryptography (ECC) can set their preference in cPanel, and the plugin will use it automatically. Elliptic Curve Cryptography (ECC) provides equivalent security strength to RSA with significantly smaller key sizes, resulting in faster Transport Layer Security (TLS) handshakes and reduced computational overhead on your server. Discover RSA, DSA, and Elliptic Curve Cryptography (ECC) Encryption Algorithms 🔗

The Certificate Authority

All SSL Certificates issued through the plugin - whether branded as Trustico® or Sectigo - are issued by Sectigo, formerly known as Comodo Certificate Authority (CA). Sectigo is one of the world's largest commercial Certificate Authorities (CAs), with root Certificates trusted by all major browsers and operating systems. Learn About Sectigo Certificate Authority (CA) 🔗

Getting Started

Setting up an SSL Certificate through the Trustico® Certificate as a Service (CaaS) cPanel plugin is a straightforward process. First, you need an active Trustico® SSL Certificate order. When you purchase an SSL Certificate product that supports Certificate as a Service (CaaS), your order includes the External Account Binding (EAB) Key ID and HMAC Key credentials you will need. You can find these credentials in your order confirmation e-mail.

Next, log in to your cPanel dashboard and navigate to the Security section where you will find "Trustico® SSL Certificates." Open the plugin, select your virtual host, check the domain names you want covered, select your SSL Certificate type, paste in your External Account Binding (EAB) credentials, and click "Retrieve SSL Certificate."

Within minutes, your domain will be serving HTTPS with a fully validated commercial SSL Certificate, and automatic reissue will be configured to keep it that way indefinitely. Discover How to Obtain Your Certificate as a Service (CaaS) Credentials 🔗

The days of manually managing SSL Certificates on cPanel servers are over. With the Trustico® Certificate as a Service (CaaS) cPanel plugin, commercial SSL Certificate protection is as simple as selecting your coverage, pasting two credentials, and clicking a button.

From that point forward, your SSL Certificate is reissued automatically, keeping your website secure, trusted, and ranking well in search results without any ongoing effort on your part.