Home » Wiki » How to Assign SSL for Mail/Webmail on Domain via Plesk CLI

How to Assign SSL for Mail/Webmail on Domain via Plesk CLI

by | SSL Certificate

Assign SSL for Mail/Webmail

How to Assign an Existing SSL for Mail and Webmail on Domain in Plesk via CLI?

Securing email and webmail on your domains is crucial for protecting your users’ privacy and data. One key way to achieve this is by assigning an SSL/TLS certificate. This encrypts traffic between the client and your mail server using HTTPS, preventing interception of credentials and messages.

Plesk provides an interface for assigning certificates through its GUI. However, automation, repeatability, and advanced users can be done through Plesk’s command line utility. This guide will walk through the complete process of assigning an existing SSL certificate to mail services on a domain in Plesk using the CLI.

Key Takeaways

  • An SSL certificate encrypts traffic and secures connections to your mail server and webmail, preventing the snooping of sensitive data.
  • To assign an existing SSL certificate in Plesk using the CLI, you’ll need to connect via SSH and use the Plesk bin SSL commands.
  • The main steps are uploading your existing SSL files, selecting the domain to assign it to, and enabling the certificate for mail services like POP3, IMAP, and SMTP.
  • You can check the assignment worked by accessing webmail and mail clients using HTTPS and checking for Tune icon indicating encryption is active.
  • Assigning SSL certificates via the CLI provides more flexibility than using the Plesk GUI and is necessary for automated provisioning.

Prerequisites

  • Access to your Plesk server via SSH.
  • An existing SSL certificate (+ key) in PEM format. This could be a self-signed cert for testing or purchased from a commercial CA.
  • Administrative access to Plesk for your domain’s subscription.
  • A mail domain already created in Plesk that you want to assign the certificate to.

5 Easy Steps to Assign SSL for Mail/Webmail on Domain via Plesk CLI

  • Upload the SSL Certificate Files
  • View Available Certificates
  • Select Domain to Assign Certificate
  • Enable Certificate for Mail Services
  • Check Assignment Was Successful

Step 1 – Upload the SSL Certificate Files

Connect to your server via SSH using a terminal client like PuTTY. Then use plesk bin to upload your certificate files:

plesk bin ssl upload --crtpath /path/to/example.crt --keypath /path/to/example.key

Replace the sample paths with the full path on your server’s filesystem to the .CRT and .KEY files for your certificate.

This will upload them into Plesk’s certificate storage, making them available for assignment.

Step 2 – View Available Certificates

Before assigning your certificate, check it is available by listing the certificates known to Plesk:

plesk bin ssl list

This will display all certificates issued by Plesk’s internal CA or those you have uploaded. Verify that your certificate is present and shows the correct details.

Step 3 – Select Domain to Assign Certificate

Next, specify which domain you want to assign the certificate to with the select command:

plesk bin ssl select --name example.com --cert-name "My Company LLC Certificate"

Replace example.com with your domain and the descriptive cert-name with your value shown in the previous step.

This selects the target domain but still needs to install the certificate.

Step 4 – Enable Certificate for Mail Services

Now enable the selected certificate for securing mail services on the domain:

plesk bin ssl enable-for-mail

This will install the certificate for protocols like POP3, IMAP, and SMTP that Plesk’s mail server uses.

Step 5 – Check Assignment Was Successful

Check HTTPS and the certificate is working on webmail by browsing to:

https://webmail.yourdomain.com

You should see a Tune icon, and the certificate details should match what you installed.

Additionally, the account can be added to a local mail client like Outlook or Thunderbird using SSL security. The client should connect and encrypt the session automatically.

If you get certificate warnings or errors, there may have been an issue with the assignment. Double-check your steps and domain name configuration in Plesk.

Troubleshooting Common Problems

Here are some common issues and fixes when assigning SSL certificates through Plesk CLI:

Can’t Connect to Server Over SSH

  • Ensure SSH is enabled on the server, port 22 is open in firewalls, and you are using the right credentials.

Error Uploading Certificate Files

  • Double-check the paths that point to the valid .CRT and .KEY files on the disk.
  • Ensure you have write permission to Plesk’s /var/certificates folder.

Certificate Not Showing In Available List

  • After upload, run the plesk bin ssl list command again to refresh the list.
  • You may need to restart the Plesk services for it to detect the new cert.

Webmail Not Loading Over HTTPS

  • Try clearing your browser cache in case it has old non-HTTPS redirects cached.
  • Ensure the domain has port 443 open and accessible externally for HTTPS.

Mail Client SSL Connection Failures

  • Make sure you enabled the certificate for mail protocols in Step 4.
  • The mail client may be trying to use an old self-signed cert that is still cached. Delete and re-add the account.
  • Check for any firewalls blocking SMTP/IMAP/POP3 port access.

Final Thoughts

Assigning existing SSL certificates to domains is crucial for securing webmail, SMTP, IMAP, and other services for your users against attacks. While Plesk’s GUI provides basic options, utilizing the plesk bin ssl cli commands gives you advanced flexibility for automated provisioning.

Following the steps outlined in this guide, you should now be able to upload an existing certificate, either from a commercial CA or self-signed, and assign it to any domain hosted in Plesk. Enabling it for core mail protocols ensures your users can access both webmail and mail clients like Outlook securely over HTTPS.

Frequently Asked Questions

Can I assign multiple SSL certificates in Plesk?

Yes, you can upload and assign multiple SSL certificates to different domains and services in Plesk using the CLI. The select command chooses which cert to use per domain.

Do self-signed certificates work the same?

Self-signed certificates can be used for encryption between client and server. However, as a trusted CA does not issue them, users will see warnings that the connection needs to be more trusted.

Where does Plesk store uploaded certificates?

Certificates and keys are stored in /var/certificates on the Plesk server’s filesystem, requiring write permissions to that folder.

How do I automate SSL assignments in Plesk?

You can script or integrate CLI commands like plesk bin ssl upload and enable-for-mail into provisioning tools like Ansible, allowing automatic SSL configuration on domain creation.

Can I install wildcard SSL certificates in Plesk?

Yes, Wildcard SSL certificates with a matching *.yourdomain.com can be installed the same way. The select command would specify the apex domain, securing subdomains too.

Does CLI assignment replace Plesk’s SSL addon?

No, the CLI provides an alternative to the GUI add-on. For some purposes, like automation, the CLI may be preferable. But the GUI add-on also has benefits, like SAN/Multi-domain SSL certificates.

Where can I buy SSL certificates for use with Plesk?

You can purchase SSL certificates that work with Plesk from certificate authorities like DigiCert, Sectigo, Globalsign, and RapidSSL. Just ensure it provides the .CRT and .KEY files.

How often should I renew or replace SSL certificates?

It is recommended that public SSL certificates be replaced every 1-2 years, as older certificates may use outdated hashing algorithms. Self-signed certificates can be generated more frequently.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.