WP Engine Products

WordPress Hosting

Boost performance while managing less

WooCommerce

Build faster and sell more with WooCommerce

Agency and Client Management

Automate client billing, reporting, & more

Headless WordPress

Build, deploy, and manage headless sites

View More Products

Solutions

Small Businesses
Enterprises
Agencies
eCommerce

View More Solutions

Website Tools

Smart Plugin Manager
Website Monitoring
Website Tester
WordPress Themes and Tools
Local WordPress Development

Featured Plugins

Advanced Custom Fields

Build rich, custom content editing experiences

WP Migrate

Migrate WordPress sites with confidence

WP Offload Media

Offload media assets & serve them lightning fast

WP Offload SES

Improve email send reliability with Amazon SES

View More Recommended Plugins

WordPress Resources

WP Engine Resources

Articles and videos for help with WordPress

WP Engine Help Docs

Guides for site setup & troubleshooting

Free Website Migration

Automated migration plugin & support

Find a WordPress Agency

Need help? Search our agency directory

Stay Connected

WP Engine Blog
Builder Community
Headless Developer Community
Torque Magazine
Velocitize Magazine

Thought Leadership

Velocitize Talks
Erik Posthuma of Aleph-labs on Web3, Cryptocurrency, & More
Podcast
Press This, the WordPress community podcast
Study
The World’s First Study of the WordPress Economy

Why WP Engine?

Our Platform Technology
Managed WordPress Hosting
Fast WordPress
Secure WordPress
24/7 WordPress Support
About Us
WP Engine Reviews

How You Win with WP Engine

Build faster, protect your brand, and grow your business with the #1 WordPress platform to power remarkable online experiences.

Learn More

Customer Spotlight

Peak Performance With Headless WordPress

Android Authority increases speed 6x by adopting a headless architecture with a WordPress back-end.

All Case Studies

Contact sales

Call Us

+1-512-273-3906 to talk to a sales expert

Request a Quote

Submit a request for a personalized plan recommendation

Let’s Chat

Customer Support

Support Articles
Billing Help
Password Help
Log In for Support
Easiest Migration Ever!

Need Help Choosing a Plan?

We offer solutions for businesses of all sizes. For questions about our plans and products, contact our team of experts. Get in touch

Support Center
Setup A Site
Account & Features
Platform Information
WordPress Help
Troubleshoot
Browse All

Secure Sockets Layer (SSL)

Last updated on September 1st, 2022

HTTPSSSLSSL Certificatestroubleshoot

SSL/TLS certificates enable visitors to connect to your site with HTTPS, a secure protocol for exchanging information on the Internet. An SSL certificate will add a layer of secure encryption to your website, so any information transferred by your website is encrypted. In this article we will explain how to obtain an SSL certificate for your website on the WP Engine platform.

Contents hide
1 About HTTPS, TLS and SSL
2 Check for an SSL
3 Add SSL
4 Let’s Encrypt SSL Certificates
5 Import 3rd-Party SSL Certificate
5.1 Import Using Existing Certificate Files
5.2 Generate New Certificate Signing Request (CSR)
6 Potential SSL Issues
6.1 SSL Issuing Errors
6.2 Cloudflare
6.3 SSL/TLS certificate warnings for Internet Explorer on Windows XP
6.4 Sucuri WAF
6.5 Mixed Content
7 Secure URL Options
7.1 Force SSL Plugins

About HTTPS, TLS and SSL

HTTPS (Hypertext Transfer Protocol Secure) is the protocol for secure communication on the World Wide Web, and it prevents eavesdroppers from seeing information that visitors send or receive over the Internet. HTTPS secures its connections by using SSL/TLS, protocols that authenticate web servers and that encrypt messages sent between browsers and web servers.

TLS (Transport Layer Security) is a cryptographic protocol that provides secure communication over the Internet. HTTPS uses TLS to secure communication for website visitors. TLS provides the following security benefits:

  • Identity authentication — The browser determines whether a web server is the right server, and not an imposter.
  • Privacy — Information between the browser and web server is kept private by using encryption.
  • Data integrity —  Messages between the browser and the web server cannot be altered by others (e.g., during a man-in-the-middle attack).

SSL (Secure Sockets Layer) is the predecessor of TLS. After SSL 3.0, the next upgrade was named TLS 1.0 (instead of SSL 4.0) because the version upgrade was not interoperable with SSL 3.0. Many people refer to TLS as SSL (old habits die hard) or as SSL/TLS, even though all versions of SSL are technically now deprecated.

Review our guide for more information on which TLS versions are currently supported.

Check for an SSL

To determine if you have an SSL certificate installed on your website, visit your domain (for example mycoolwebsite.com) with https:// in front. The “s” in HTTPS stands for “secure”.

  • If you see a secure padlock next to the domain this means your site is secured by an SSL certificate. You can also click on this icon to view certificate details, such as expiration date and issuer.
  • If you see a security warning, this means your site is not secured by an SSL and you will need to add one.
  • If the padlock next to your domain is broken, crossed out, or shows “more info”, this means your site is secured by an SSL but there is mixed content on the page that needs correcting.

You can also test your SSL status with an external tool:

Add SSL

Before adding an SSL to your domain, you’ll need to ensure that the domain has been added to the User Portal and that you’ve pointed DNS for the domain. An SSL cannot be successfully ordered or installed without both of these steps completed.

  1. Open the User Portal
  2. Select the production environment name
  3. Click SSL
  4. Click Add Certificates
  5. Select an item from this SSL Certificate Options list:
  6. Follow the prompts to complete the request process
  7. When the SSL has completed installation, you will receive an email and the SSL options will become available

The process is automated from here. Once the order is placed, our system will verify DNS has been pointed and install the certificate. Certificates typically install within just a few minutes, however in some cases this can take up to 24 hours.

All SSLs ordered through WP Engine default to Auto-Renew and Secure All URLs.

Let’s Encrypt SSL Certificates

Let’s Encrypt offers free domain-validated (DV) single-domain SSL certificates, which are ideal for almost every website. In most cases two Let’s Encrypt certificates need to be ordered for a single site; one for WWW and one for non-WWW.

If you should, but do not see the WWW or non-WWW version of your domain listed here, be sure both variations are added to the User Portal.

Let’s Encrypt certificates expire after 90 days. Our system will attempt to auto-renew these 22 days before expiration.

Ordering a Let’s Encrypt certificate replaces any existing certificates on WP Engine for that domain (EX: 3rd-party certificate).

Import 3rd-Party SSL Certificate

Importing a 3rd-party SSL is necessary for a variety of situations:

  • If you already have a valid SSL certificate you want to use
  • If you need to use a wildcard SSL certificate
  • If you need to use an Extended Validation (EV)
  • If you need to use a Multi-Domain certificate (SAN)

3rd-party SSLs also allow you to secure the domain prior to DNS being pointed to WP Engine. The SSL will not be active until you point DNS to your WP Engine server and add the domain in the User Portal. You may need to use the host file trick to test the SSL before pointing DNS.

To import any 3rd-party SSL successfully, a matching certificate and key file are required. In some cases, there may also be additional intermediate certificates that you must provide.

Lite and Startup plans cannot have a third party SSL certificates imported. However, these plans do support our free Let’s Encrypt SSL offering.

On Shared WP Engine plans, only Production environments can have a domain added and therefore only production can have an SSL installed.

Import Using Existing Certificate Files

If you already have both the SSL certificate and the matching private key file, use these steps. If you’re not sure if you have both matching files, proceed instead with the Generate a New Certificate Signing Request (CSR) steps below.

NOTE

Before importing a certificate, ensure that the domain(s) have been added to the User Portal.

  1. Log in to the User Portal
  2. Select the environment name you wish to upload files for
  3. Click SSL
  4. Select Add Certificates
  5. Under Import using existing certificate files, select Upload Files
  1. Either copy and paste the contents of your existing certificate files into the fields, or select Upload the {key or certificate} file
    • RSA private key (KEY)
      • Paste in the full key including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
      • If you choose to upload a file instead, key files must be RSA type keys with a .key file type.
    • Certificate (CRT)
      • Only PEM formatted certificates will be accepted in this field. Paste in the full PEM chain including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
      • If you choose to upload a file instead, certificate files must be PEM formatted with .pem, .crt, or .cer file types.
Paste or upload the certificate and key contents in the WP Engine User Portal.
  1. Click Next
  2. Verify the certificate information is valid
    • The correct domain(s) should be listed and selected
    • The certificate validity date should be current, and not expired
  3. Click Next
  4. Choose HTTPS Preferences
    • Secure All URLs (default) will force all URLs to HTTPS once the SSL has been successfully installed. For more information see Secure URL Options below.
  5. Click Upload Certificate

Your certificate and key file will then be reviewed, and if they match they will be installed and activated. If your files do not match, you will receive a notice and the SSL will not be installed or activated.

Generate New Certificate Signing Request (CSR)

This section will help you generate a CSR (Certificate Signing Request) and import your matching certificate file to WP Engine. Generate a CSR and follow these steps if you don’t have a certificate file, don’t have a key file or if you do not have a matching certificate and key file.

Remember, WP Engine needs both a key file and a certificate file that match each other to successfully install an SSL. Generating a CSR will complete the key portion of these requirements for you, so all you have to do is retrieve the matching certificate from the SSL issuer and provide it to us.

NOTE

Before generating a CSR, ensure that the domain(s) have been added to the User Portal.

  1. Log in to the User Portal
  2. Select the environment name you wish to generate a CSR for
  3. Click SSL
  4. Select Add Certificates
  5. Under Generate a new certificate signing request (CSR), select Create CSR
  1. Select the Certificate Type
    • This should match the type of existing SSL that you will be importing
  2. Select the domain(s) the certificate was issued for when it was originally purchased
  3. Fill in the necessary Business Information
  4. Click Generate CSR

NOTE

Our system by default generates 256 bit CSR files, if you need a higher bit CSR reach out to our Support team.

  1. The next page will show your CSR file contents
  2. Confirm the information on the right side of the page is correct
  3. Use Click to copy or Download as .CSR to ensure you copy the full contents of your CSR correctly. The full CSR will include the following text at the top and bottom:
    • -----BEGIN CERTIFICATE REQUEST-----
    • -----END CERTIFICATE REQUEST-----

We suggest leaving this page open in a separate tab or window so you can easily return to it later.

Once you have the CSR, you must provide this to your 3rd party SSL certificate authority. The SSL certificate authority, or issuer, is the company from which you originally purchased the SSL certificate.

  1. Log in to your SSL issuer’s portal, or reach out to their Support team
  2. Request your SSL files for installation on another server, you may need to request that the SSL be re-keyed
  3. Provide the CSR file to the issuer
  4. If the issuer asks for server type, choose Nginx
  5. Your SSL certificate issuer will return a newly generated SSL certificate file(s)
    • There may be multiple files, be sure to save everything the issuer provides
  6. Copy or save any files provided to your local computer in a location where you can easily find them later
    • The full certificate contents will include the following text at the top and bottom:
      • -----BEGIN CERTIFICATE-----
      • -----END CERTIFICATE-----
  1. When you are ready to upload your certificate, return to the WP Engine User Portal
  • If you left the CSR page open previously, simply click Upload Certificate on the right.
  • If you navigated away from the CSR page, the request can be managed again any time from the SSL page in your User Portal. Click the arrow next to a pending request to expand the options to Upload Certificate (CRT), View certificate signing request (CSR), or Delete and Revoke CSR. To upload a certificate, simply click Upload Certificate (CRT).
  1. Paste or upload any certificate files provided by the SSL issuer
  2. Click Next
    • The file will automatically be compared to the CSR for a match. You will be taken to the next page if the files match.
    • If the CSR and the CRT do not match, you will see the message: This certificate did not match the CSR. You will need to copy the CSR again and repeat the steps to retrieve any certificate files from your SSL issuer.
  3. Verify the certificate information is valid
    • The correct domain(s) should be listed and selected
    • The certificate validity date should be current, and not expired
  4. Click Next
  5. Choose HTTPS Preferences
    • Secure All URLs (default) will force all URLs to HTTPS once the SSL has been successfully installed. For more information see Secure URL Options below.
  6. Click Upload Certificate

Potential SSL Issues

When requesting, installing or activating an SSL, it is possible to run into issues. If you experience issues with your SSL, WP Engine Support is available 24x7x365 to assist and we’ve provided some additional troubleshooting information below.

SSL Issuing Errors

If your SSL request fails to process automatically, a Support ticket will be generated titled “Certificate Domain Validation Error” or “Certificate Authority Error.” If you experience these errors make sure your DNS is pointed correctly to WP Engine, and that your domain does not redirect to another domain.

Let’s Encrypt also does not issue certificates for high-risk domain names—those that resemble well-known banks or brands (EX: wellsfargo.world or cocacola.info) or for sites that Google tags as unsafe.

Cloudflare

If you are using Cloudflare, you will also need to configure SSL settings in their dashboard. Read more here about configuring an SSL when using Cloudflare.

SSL/TLS certificate warnings for Internet Explorer on Windows XP

WP Engine uses Server Name Indication (SNI) for SSL/TLS certificates. SNI provides an efficient way to configure certificates, and it works well with most browsers. However, visitors that use Internet Explorer on Windows XP may see the following error. It’s best to use an alternate up-to-date browser.

Sucuri WAF

Sucuri’s firewall service may prevent your SSL from processing, due to an additional DNS layer. Please contact the Sucuri team directly to request enabling the Forward Certificate Validation to Hosting option. This will allow your Let’s Encrypt certificate request to process normally.

Mixed Content

Mixed content is media or other links on pages within your website that are not properly secured by SSL. These links use http instead of https when loaded onto the page and will cause an insecure warning on some parts of a website. Mixed content is easy to correct, see our correcting mixed content guide for more information.

Secure URL Options

To see your SSL options simply click on the domain name to expand the options. The option “secure all URLs” is selected on an SSL ordered through WP Engine by default.

This option tells our platform to automatically serve HTTP page requests secured with HTTPS. One important thing to note when you choose this option is to ensure you are not using any force SSL plugins.

You will also have the option to select “Secure Specific URLs”. If you choose this option you will need to use RegEx to ensure those URLs are secured properly.

Force SSL Plugins

Force SSL plugins can cause redirect loops when their settings conflict with the settings on the SSL dashboard. We recommend that you leverage the settings that we provide in the SSL dashboard as they work server side and have been tested extensively with our platform. Using settings directly at a server level keep the force SSL functionality on Nginx, making it faster and more effective.

How do I know if I use a force SSL plugin?

It’s possible for plugins not specifically dealing with security to to include such a setting. For example, WooCommerce offers an option to force the use of SSL. In general, to find plugins that could be forcing https usage on your website:

  1. Log into your site’s WordPress Admin
  2. Visit the Plugin page
  3. Look for any plugin that mentions Securing Pages, HTTPS, or SSL

Common Force SSL Plugins

  • Force SSL
  • WP Force SSL
  • WordPress HTTPS
  • Verve SSL
  • Really Simple SSL
  • Easy HTTPS Redirection

NEXT STEP: How to fix mixed content errors

Enterprise-grade security and performance for all

Global Edge Security provides a managed web application firewall (WAF), advanced DDOS mitigation, CDN, and automatic SSL installation all powered by Cloudflare.

Get the add-on

Talk to a specialist
Chat with us!