SSL Certificates

WHMCS MarketConnect allows you to resell SSL certificates from DigiCert®, RapidSSL, and GeoTrust® with fully automated end-to-end provisioning and deployment.

For more information, see our DigiCert SSL Certificates Knowledgebase.

Control Panels For Automatic SSL Installation

For the following control panels, WHMCS can automate SSL procurement by generating a CSR, submitting it to the certificate authority, and installing the certificate:

  • cPanel & WHM
  • Plesk
  • DirectAdmin

For other control panels, you must configure SSL certificates manually. Manual configuration requires the user to submit a CSR in the Client Area.

Landing Pages

WHMCS MarketConnect includes SSL landing pages to send your new and existing customers to in order to learn about SSL and the SSL options you offer:

  • Overview (below)
  • Standard SSL DV Certificates
  • Organizational OV Certificates
  • Extended Validation EV Certificates
  • Wildcard Certificates

You can enable these when you start selling SSL certificates via MarketConnect. You can also enable or disable them under Management for SSL certificate sales at Configuration () > System Settings > MarketConnect.

Setup and Configuration

To activate and begin reselling SpamExperts:

  1. Go to Configuration () > System Settings > MarketConnect.
  2. Find SSL Certificates.
  3. Click Start Selling.
  4. Click Activate Now.

SSL Certificate Automation

When ordering an SSL certificate for a cPanel & WHM, Plesk, or DirectAdmin hosting account, WHMCS and MarketConnect fully automate the SSL provisioning process. The system can perform the following actions with no manual intervention from your staff:

  • CSR generation
  • Certificate configuration
  • Domain Ownership Verification setup
  • Retrieval of the issued certificate
  • Certificate installation

In some cases, such as orders for OV and EV SSL certificates, additional steps to complete the extended validation may be required. After all of the extended validation requirements have been completed, the SSL certificate will be recognized, retrieved, and installed automatically.

MarketConnect will also automate the necessary reissuances for the duration of a multi-year certificate purchase.

For more information, see Reissuance and Installation below.

Control Panel Requirements

For automated SSL CSR generation and installation, cPanel accounts require you to enable the SSL/TLS feature on the appropriate feature list. You can enable this in WHM at WHM > Packages > Feature Manager.

WHMCS only supports fully-automated SSL certificate provisioning for cPanel & WHM, Plesk, and DirectAdmin.

Ordering an SSL certificate as a standalone product or as an addon to a hosting account on an unsupported control panel will require manual input from clients to complete the process.

After submitting and paying for an SSL certificate order, the certificate will be provisioned and the customer will receive an email with a link to configure the certificate. They will be asked to provide a CSR and select an approver email address as part of the configuration process. The approver email will be used to validate the certificate’s domain’s owner.

Instant Issuance

In WHMCS 8.7 and later, MarketConnect supports Instant Issuance, an advanced method for DV-based DigiCert SSL certificates that makes selling and deploying SSL certificates even faster and more reliable.

Instant Issuance is only available through DigiCert partners like WHMCS MarketConnect.

With Instant Issuance, the system runs the DV check and receives a signed SSL certificate (CSR) immediately at the time of order. This provides instantaneous SSL protection with no wait time and no confusing errors or warnings when clients access the new website. It also reduces the risk of failure and other issues that customers may experience with SSL issuance via standard Domain Control Validation (DCV) polling.

Clients will have an improved experience due to the reduced likelihood of errors and the elimination of wait time between order and issuance. This can mean reduced technical support needs, increased SSL certificate orders, and better overall customer satisfaction.

Requirements

  • MarketConnect uses Instant Issuance by default on all DV SSL certificate orders via DigiCert and MarketConnect on WHMCS 8.7 and higher.
  • Before WHMCS 8.7, issuance via standard DCV polling was the only method available for SSL certificate issuance, and the system will continue to use it for orders for which Instant Issuance is not possible.

Instant Issuance requires that:

  • The system has access to create the necessary files.
  • The Domain Control Validation (DCV) for the order is file-based or, in some circumstances, DNS-based.

If the purchase meets these conditions, the system will always attempt Instant Issuance.

How Instant Issuance Works

Instant Issuance uses pre-generated cryptographic content for file-based and DNS authorization checks (DCV). This facilitates immediate deployment and instantaneous protection for customers’ websites.

Instant Issuance uses the following process:

  1. A customer places an SSL certificate order.

    Customers can purchase SSL certificates through the Client Area, or admins can place orders through the Admin Area. If the purchase meets the requirements for Instant Issuance, the system will always attempt Instant Issuance.

  2. The system generates cryptographic files.

    The system automatically generates the required cryptographic files within the associated hosting account.

  3. MarketConnect sends the order information to DigiCert.

    When MarketConnect sends the order to DigiCert, it will include the generated cryptographic content. This speeds up the process by removing several time-consuming steps that slow down the standard DCV polling process.

  4. DigiCert replies.

    DigiCert will immediately reply with the new certificate’s data.

  5. The system automatically installs the certificate.

    After WHMCS has the certificate data, installation occurs immediately.

    If Instant Issuance fails, the system will attempt to issue the certificate using standard DCV polling.

    For more information, see Instant Issuance Failures.

You can view Instant Issuance activity in the Activity Log section at Configuration () > System Logs.

Domain Control Validation Methods

We recommend upgrading to WHMCS 8.3 or higher to use DNS validation for full automation of DV wildcard certificates.

WHMCS’s automation for MarketConnect SSL certificate purchases includes several options for DCV:

  • DNS validation is available in WHMCS 8.3 and later.
  • Email and HTTP file validation are available in all supported WHMCS versions.

In WHMCS 8.3 and later, clients and admins can select a validation method during the Validation step of the manual configuration process for DigiCert certificates.

For more information, see our DigiCert SSL Certificates Knowledgebase.

Multi-Year SSL Certificates

In WHMCS 8.5 and later, MarketConnect allows you to sell two-year and three-year DigiCert SSL certificates. WHMCS will automatically handle reissuance and reinstallation throughout the order period, including automated emails and renewals.

Reissuance and Installation

Multi-year certificates will require reissuance throughout the life of the certificate. The cron checks for certificates that require reissuance and reissues them. It will also attempt to install automatic and manual reissues automatically (see below).

  • Clients and admins can reissue and install certificates at any time via the Client Area.
  • Admins can reissue and install certificates via the Products/Services tab of the client’s profile in the Admin Area.

After WHMCS automatically or manually reissues a certificate, it will automatically attempt to install it. In WHMCS 8.4 and earlier, installation failures for one-year certificates were silent and did not send notification emails.

In WHMCS 8.5 and later, the system will send the following email templates in the following scenarios:

  • SSL Certificate Issued — The system could not automatically install the certificate after reissuance and it requires manual installation. This template is only for reissuance, not for new SSL orders.
  • SSL Certificate Installed — The system successfully automatically installed the certificate after automatic or manual issuance.
  • SSL Certificate Multi-Year Reissue Due — The system could not automatically reissue the certificate or a reissuance attempt failed.
  • SSL Certificate Validation Manual Intervention — The system could not automatically configure the certificate reissuance because of problems writing to the file or DNS record.

Updating to WHMCS 8.5 or Later

Upgrading to WHMCS 8.5 or later will add the new SslReissues cron task to handle automatic reissuance for two-year and three-year certificates and set its schedule.

The upgrade process will use the annual price to set the two-year and three-year prices.

  • The system will multiply the one-year price by 1.9 to set the two-year price and by 2.8 (or 2.75 for DigiCert-branded certificates) for the three-year price.
  • The Client Area will display all prices as a per-year price.
  • You can update these prices at Configuration () > System Settings > MarketConnect when you click Manage under SSL Certificates.
  • WHMCS installations on WHMCS 8.4 or earlier should not have existing pricing for multi-year certificates. However, if your installation already specifies custom prices for them, the update process may overwrite them.

Supported Client Actions

Clients can perform the following actions at any time in the Client Area:

  • Retrieve and download issued certificates.
  • Update the approver email for a pending certificate.
  • Reissue SSL certificates.

Supported Admin Actions

Admins can perform the following actions:

  • Click Check Status to view the order status. The order information will appear in the displayed output, displaying the Marketplace and remote order statuses.
    • This allows you to see the validation status of the certificate.
    • Check Status will appear for any certificate status other than Cancelled.
  • Click Resend Configuration Email to send a configuration email again. This action appears when the certificate’s remote status is Awaiting Configuration.
  • Click Retrieve Certificate after certificate issuance to view the full certificate to install. Use this if the client did not receive the certificate via email.
  • Click Install Certificate to install or reinstall the certificate on a supported control panel.
  • Click Configure Certificate to manually configure a pending SSL certificate by uploading a CSR and providing administrator contact information.
    • In WHMCS 8.2 and earlier, this supports both email and file DCV.
    • In WHMCS 8.3 and later, this supports email, file, and DNS DCV.

Troubleshooting

cPanel: Key Generation Failed: (XID xxxxxx) You do not have the feature “sslmanager”.

This error message may indicate that the required SSL/TLS features are not enabled on the cPanel hosting account.

  • You must enable the SSL/TLS feature in WHM for all cPanel packages that will use SSL automation.
  • After adding the necessary feature to your cPanel packages, you can retry the automated provisioning again by setting the SSL certificate product back to Pending and clicking Resend Configuration Data.

Instant Issuance Failures

Instant Issuance reduces the overall likelihood of issuance failure. However, if an error occurs, it will display when you click View Order for the associated order in the Products/Services tab in the client’s profile:

  • Standard DCV Polling — The Instant Issuance token is not deployable indicates that the system received the instant issuance token from MarketConnect but the hosting control panel could not deploy it.
  • Standard DCV Polling — The Instant Issuance token could not be acquired indicates that MarketConnect failed to provide the instant issuance token.
  • Standard DCV Polling — DigiCert could not validate the Instant Issuance token indicates that DigiCert cannot resolve the domain, cannot find the required file, or the file does not include the expected contents.
  • Standard DCV Polling indicates that another type of error occurred.

All of the above errors also indicate that the system fell back to standard DCV polling to complete the process.

Last modified: May 31, 2024