Securing Plesk and the Mail Server With SSL/TLS Certificates

SSL/TLS certificates protect sensitive data by encrypting connections between the client and the server. Moreover, having a valid SSL/TLS certificate is practically a requirement on today's Internet. To improve security and give your customers peace of mind, we strongly recommend protecting Plesk and the Plesk mail server with SSL/TLS certificates. This topic explains how to secure both Plesk and the Plesk mail server with a free SSL/TLS certificate from Let's Encrypt, an SSL/TLS certificate purchased from a certificate authority, or a self-signed SSL/TLS certificate.

During installation, both Plesk and the Plesk mail server are automatically secured with a free self-signed SSL/TLS certificate. This allows for encrypting connections to Plesk and the Plesk mail server so that, for example, passwords could not be intercepted in transit. However, self-signed SSL/TLS certificates come with a drawback. Anyone visiting a Plesk server secured with a self-signed SSL/TLS certificate is shown a warning telling them that the website is not trusted, which may cause concern. To avoid this, we recommend securing Plesk and the Plesk mail server with either a free SSL/TLS certificate from Let's Encrypt or an SSL/TLS certificate purchased from a certificate authority.

Note: If you secure the Plesk mail server with an SSL/TLS certificate, make sure to use the domain name for which the certificate was issued when connecting to the mail server, and advise your customers to do the same. Otherwise, the mail client software may be unable to verify the mail server identity, which may cause issues when sending or receiving mail.

Securing Plesk and the Mail Server With a Certificate From Let's Encrypt

Let’s Encrypt is an open certificate authority providing free SSL/TLS certificates. You can easily secure both Plesk and the Plesk mail server with SSL/TLS certificates using the free Let’s Encrypt extension.

When you install or upgrade the Let’s Encrypt extension, if Plesk is secured with a self-signed certificate, the extension automatically replaces it with a valid SSL/TLS certificate from Let’s Encrypt. The extension does not automatically secure the Plesk mail server.

If you want to replace a valid certificate issued by a certificate authority with one from Let’s Encrypt, follow the steps below.

To secure Plesk and the mail server with a certificate from Let’s Encrypt:

1. Install the Let’s Encrypt extension if it is not installed.
2. Go to Tools & Settings > SSL/TLS Certificates (under "Security").
3. Click the + Let's Encrypt button.
4. Make sure that the email address in the “Email address” field is correct. This email address will be used to send important notifications.
5. Click Install.

   At this stage, the certificate from Let’s Encrypt has been generated and used to secure Plesk automatically.

6. To secure the mail server, click the [Change] link next to “Certificate for securing mail”.
7. Select the “Lets Encrypt certificate (server pool)” from the drop-down list, and click OK.

Now both Plesk and the Plesk mail server are secured with the certificate from Let’s Encrypt.

Note: In Plesk for Linux, when Let’s Encrypt replaces the default self-signed certificate, in Tools & Settings > SSL/TLS Certificates the name of the certificate used to secure Plesk is changed to “Lets Encrypt certificate”. In Plesk for Windows, the default certificate name is changed to “Lets Encrypt certificate” only after you reload the Tools & Settings > SSL/TLS Certificates web page in the browser.

Securing Plesk and the Mail Server With a Certificate From Other Certificate Authorities

Apart from Let’s Encrypt, you can secure Plesk and the Plesk mail server with an SSL/TLS certificate from a certificate authority of your choice.

To secure Plesk and the mail server with a certificate from other certificate authorities:

1. Go to Tools & Settings > SSL/TLS Certificates (under "Security") and click the + Add button.
2. Fill in the fields marked with the asterisk. Pay particular attention to the following fields:
   • “Certificate name”. Give the certificate a recognizable name so you can tell it apart from other certificates in the server repository.
   • “Bits”. The more bits, the more secure the certificate. We recommend using the default value (4096).
   • “Domain name”. Make sure that the name in this field matches the server hostname.
3. If all the provided information is accurate, click Request.

   Plesk will generate a private key and a certificate signing request and display them in under “List of certificates in server pool”.

4. Find the certificate under “List of certificates in server pool” and click its name. This will open a page showing the certificate properties.

Copy the whole content of the “CSR” section (including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----) to clipboard.

1. Visit the website of the certificate authority of your choice and start a certificate ordering procedure. When you are prompted for the CSR, paste the data from clipboard. The certificate authority will create an SSL/TLS certificate in accordance with the information you provided. When you receive your SSL/TLS certificate, save it on your local machine or network.
2. Go to Tools & Settings > SSL/TLS Certificates, click Choose file under “Upload the certificate here”, select the saved .crt file, and then click Upload Certificate.
3. To secure Plesk, click the [Change] link next to “Certificate for securing Plesk”. Select the certificate generated during step 3 from the drop-down list, and then click OK.
4. To secure the mail server, repeat the previous step for “Certificate for securing mail”.

Securing Plesk and the Mail Server With a Self-Signed Certificate

As we explained earlier, self-signed SSL/TLS certificates are never trusted. It is always preferable to use an SSL/TLS certificate from Let's Encrypt or a paid SSL/TLS certificate from a different certificate authority. However, you can secure Plesk and the mail server with a self-signed SSL/TLS certificate, if desired.

To secure Plesk and the mail server with a self-signed certificate:

1. Go to Tools & Settings > SSL/TLS Certificates (under "Security") and click the + Add button.
2. Fill in the fields marked with the asterisk. Pay particular attention to the following fields:
   • “Certificate name”. Give the certificate a recognizable name so you can tell it apart from other certificates in the server repository.
   • “Bits”. The more bits, the more secure the certificate. We recommend using the default value (4096).
   • “Domain name”. Make sure that the name in this field matches the server hostname.
3. If all the provided information is accurate, click Self-Signed. Plesk will generate a self-signed certificate and display it in “List of certificates in server pool”.
4. To secure Plesk, click the [Change] link next to “Certificate for securing Plesk”. Select the certificate generated during the previous step from the drop-down list, and then click OK.
5. To secure the mail server, repeat the previous step for “Certificate for securing mail”.