Easy Steps to Enable an SSL Certificate in Magento 2
Magento 2 is a popular open-source eCommerce platform built on PHP that provides merchants with flexible tools to create feature-rich online stores. One essential aspect of running an online business is security, especially when handling sensitive customer information like payment details. Learning how to Install SSL Certificate in Magento 2 plays a vital role in securing the data transmission between a website and its visitors.
This comprehensive guide will walk you through the entire process of installing and configuring SSL on Magento 2.
Key Takeaways
- Magento 2 allows auto-generation of SSL certificates with self-signed or custom options.
- You can use a free SSL certificate from Let’s Encrypt or purchase one from trusted Certificate Authorities like Comodo, DigiCert, etc.
- After buying an SSL certificate, you’ll need to install it on your server and configure Magento to use SSL on required pages.
- SSL can be installed directly on your server or using a reverse proxy like Nginx or Varnish.
- Enabling SSL in Magento involves updating secure and unsecured base URLS in the admin, enabling HTTPS protocol, and testing checkout and admin pages.
- You need to flush the cache and may need to update references to external resources to load over HTTPS after enabling SSL.
Why Install an SSL Certificate in Magento 2?
There are several compelling reasons why every Magento 2 store should have an SSL certificate installed:
Encrypted Data Transmission
SSL encrypts all data exchanged between the client’s browser and your web server using industry-standard encryption protocols like TLS. This prevents hackers from stealing sensitive information via man-in-the-middle attacks, and credit card details, login credentials, and other private data remain protected.
Build Customer Trust
The Tune icon in the address bar signal to your customers that your website is secure. This builds trust and makes them confident about shopping in your online store without worries of fraud.
Compliance with Standards
Installing SSL demonstrates compliance with modern web security standards like PCI DSS for payment card data. It also meets privacy regulations like GDPR for protecting user data. This keeps your business safe from penalties.
SEO Ranking Factors
Google has made SSL an important ranking factor. Websites with SSL certificates get a slight boost in search engine results compared to non-HTTPS sites. SSL certificates also give your website a minor advantage over competitors.
Features like HSTS
SSL allows advanced features like HTTP Strict Transport Security (HSTS), which forces web browsers to interact with the site only over an encrypted HTTPS connection. This further fortifies security.
Eliminate Browser Warnings
When visitors access a non-secure HTTP website, browsers like Chrome warn that the connection is not private. SSL removes these warnings and makes your website seem professional.
Prerequisites for Installing SSL on Magento 2
Before starting with SSL installation, your server and Magento 2 store should meet certain prerequisites:
- You must have a live Magento 2 store installed on a server with PHP and MySQL, such as Apache or Nginx.
- Purchase your SSL certificate from a reputed Certificate Authority (CA), such as DigiCert, Comodo, Thawte, etc.
- Make sure you have the SSL certificate file, intermediate certificates, and private key provided by the CA.
- The server should support the TLS 1.2+ encryption protocol. Older versions like TLS 1.0/1.1 have vulnerabilities.
- Your hosting provider or server admin must allow custom SSL certificates to be installed.
- The domain name should correctly be redirected to your server’s public IP address.
- You’ll need access to modify SSL and other configuration files on the server.
Step-by-Step Guide to Install SSL Certificate in Magento 2
- Install SSL Certificate on Apache Server
- Install SSL on Nginx for Magento 2
- Use SSL Termination at Reverse Proxy
- Auto-Generate Self-Signed SSL in Magento 2
- Set Up Free Custom SSL in Magento 2
Option 1: Install SSL Certificate on Apache Server
If your Magento 2 store is running on an Apache web server, here is how to install the SSL certificate:
Step 1 – Place SSL Certificate Files in Correct Directory
Create a folder called /etc/ssl/certs/ on your Apache server if it doesn’t already exist. Place the certificate file (with .crt extension), private key file (with .key extension), and any intermediate certificate files provided by the CA in this folder.
Step 2 – Edit Apache Configuration for SSL
Open the main Apache config file /etc/httpd/conf/httpd.conf and make the following changes:
The files are usually named as yourdomain.crt, yourdomain.key, intermediate.crt, etc.
- Find the line starting with #LoadModule ssl_module and remove the # to enable SSL module.
- Add these lines to enable SSL for your Magento 2 website:
SSLEngine On
SSLCertificateFile /etc/ssl/certs/yourdomain.crt
SSLCertificateKeyFile /etc/ssl/certs/ yourdomain.key
SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
- Save and exit the file after making the changes.
Step 3 – Configure Allowed SSL Protocols and Ciphers
For optimal security, limit SSL connections only to modern TLS protocols and strong SSL ciphers.
Add these directives inside the <VirtualHost> section of your Magento 2 website:
SSLProtocol TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
This will remove weak protocols like SSLv2/SSLv3 and older TLS versions.
Step 4 – Restart Apache
For the changes to take effect, restart the Apache service by running:
sudo systemctl restart httpd
The SSL certificate is now active and serving HTTPS traffic on your Magento site.
Option 2: Install SSL on Nginx for Magento 2
If you are running Magento 2 with Nginx, here are the steps to install an SSL certificate:
Step #1 Place Certificate Files in Directory
Similar to Apache, create a folder /etc/ssl/certs/ if it doesn’t exist, and place the SSL certificate, private key, and intermediate chain files in it.
Step #2 Update Nginx Server Block Configuration
Open the Nginx server block configuration file for your Magento 2 website. It is usually located at /etc/nginx/sites-available/magento
Add the following configuration in the server { } block:
listen 443 ssl;
ssl_certificate /etc/ssl/certs/yourdomain.crt;
ssl_certificate_key /etc/ssl/certs/yourdomain.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
This will enable HTTPS on port 443 and configure other SSL parameters.
Step 3 – Redirect HTTP to HTTPS
To force redirection from HTTP to HTTPS, add these lines before the server { } block:
server {
listen 80;
server_name www.yourdomain.com;
return 301 https://$host$request_uri;
}This permanent redirect will make sure all traffic hits the secure HTTPS URL.
Step 4 – Restart Nginx
Finally, save the config file and reload Nginx to activate the changes:
sudo systemctl restart nginx
The SSL certificate is now installed and working on your Magento 2 storefront.
Option 3: Use SSL Termination at Reverse Proxy
An alternative approach is to terminate SSL at a reverse proxy like Nginx or Varnish before it reaches your Apache/Nginx web servers.
This offloads the encryption overhead from your application servers. The proxy handles SSL while passing regular HTTP to the backend.
Here are the steps for this method:
Step: 1 Configure SSL on Reverse Proxy
Install the SSL certificate on your reverse proxy server by following the Nginx SSL steps shared earlier.
Modify its config to listen on port 443 for HTTPS and forward plain HTTP traffic to your web server on port 80.
Step: 2 Disable Apache/Nginx SSL
Remove any SSL configuration in your Apache or Nginx web server files, as encryption will be handled at the proxy.
Step: 3 Update Base URLs
Your Magento 2 base URLs must be updated from HTTPS to HTTP since SSL terminates at the proxy.
This ensures secure external traffic while maintaining non-encrypted communication between internal servers.
Step: 4 Test Functionality
Clear caches and test that your website is only accessible over HTTPS. There should be no errors or display issues after removing direct SSL from the web server.
This reverse proxy approach minimizes the load on your web servers while benefiting from SSL security.
Auto-Generate Self-Signed SSL in Magento 2
Magento 2 allows you to auto-generate a self-signed SSL certificate directly within the admin panel.
While self-signed certificates are less trusted compared to commercial ones, they can be useful for testing or development environments.
Here are the steps to auto-generate a self-signed SSL in Magento 2:
Step 1: Login to Magento Admin
- Go to your Magento 2 admin panel and log in with administrator credentials.
Step 2: Navigate to the SSL Page
- Go to Stores > Settings > Configuration. Under the General section, choose Web. Click on the SSL tab.
Step 3: Set SSL for the Main Website
- Under Secure, set Enable SSL to Yes. Choose your root domain under both Base URL and Base Link URL.
- For example, https://www.yourdomain.com
Step 4: Generate Certificate
- Expand the Certificate Information section. Set SSL Type to Self-Signed.
- Enter details like Country, State, City, Organization Name, etc.
- Finally, click on Generate button which will create the self-signed certificate.
Step 5: Deploy Changes
- Click on Save Config button to save changes. Deploy static content by running command line from your Magento root:
php bin/magento setup:static-content:deploy
Your Magento 2 store now has an auto-generated self-signed SSL active on the front end.
While less trusted than commercial SSL, this approach allows quick HTTPS enablement on your development or staging sites for testing.
How to Set Up Free Custom SSL in Magento 2
Magento also allows users to generate a custom SSL certificate by submitting a Certificate Signing Request (CSR).
You can get this signed for free from an SSL validation authority like Let’s Encrypt to activate custom SSL:
Generate CSR in Magento
- Navigate to Stores > Settings > Configuration > Web > SSL tab in your Magento 2 admin.
- Set SSL type to Custom. Provide required details like Country, City, Organisation, etc.
- Click on the Generate button to create a CSR code. Copy this CSR code.
Get CSR Signed by Let’s Encrypt
- Go to the Let’s Encrypt website and paste your CSR code. Follow instructions to validate domain ownership.
- Once validation is completed, Let’s Encrypt will provide the signed certificate and CA bundle files.
Add Custom SSL Files in Magento
- Go back to the Magento admin SSL tab. Upload the signed certificate file under Custom Certificate.
- Also, upload the CA bundle file under Custom CACert.
- To activate custom SSL, complete other steps, such as changing base URLs to HTTPS, deploying static content, etc.
This allows you to enable trusted SSL on your Magento 2 website without purchasing an SSL certificate.
How to Configure Base URLs After Installing SSL
Once the SSL certificate installation is complete, you must configure your Magento base URLs in the admin panel to switch from HTTP to HTTPS.
This ensures that all traffic only flows via a secure HTTPS connection after adding an SSL certificate.
Here are the steps:
- Login to Magento 2 admin and go to Stores > Settings > Configuration > General > Web
- Under Base URLs, set both Base URL and Base Link URL to HTTPS protocol. For example, https://www.yourdomain.com/
- Under Base URLs (Secure), set Secure Base URL to HTTPS URL.
- Set Use Secure URLs in Frontend to Yes.
- Go to Stores > Settings > Configuration > General > General
- Set Enable HTTPS to Yes.
- Click on Save Config button to save changes.
- Deploy static content for updated base URLs:
php bin/magento setup:static-content:deploy
With this, your Magento 2 front end and admin access will only be via HTTPS, ensuring optimal security.
Troubleshooting Common Magento 2 SSL Issues
Sometimes, you may face certain problems after installing an SSL certificate on your Magento 2 website:
Images, CSS not loading
This happens when your Magento base URLs are misconfigured. Double-check that secure and non-secure base URLs are all set to the HTTPS protocol. Clear caches and deploy static content again.
Insecure content warnings
If your website has assets like images hosted on non-HTTPS sources, it will trigger warnings. In your code, replace all such HTTP references with HTTPS.
Website works only on HTTP or HTTPS.
Make sure redirection from HTTP to HTTPS is set up properly in the web server config. Also, ensure your Magento base URLs are correctly configured.
SSL certificate not trusted by browsers
If visitors see certificate warnings, your root CA may not be trusted. Install your SSL from reputed CAs like DigiCert, Comodo, and Symantec, which are recognized by all browsers.
SSL protocol errors
Outdated protocols like SSLv3 will not work. Enable only modern TLS 1.2+ protocol in your web server SSL configuration. Also, strong ciphers like AES-256 SHA should be used.
Final Thoughts
Installing an SSL certificate is crucial for securing your Magento 2 store and customer data transmitted across the site. This guide covers various options for adding SSL to Magento running on Apache or Nginx servers.
For complete security and optimal performance, it is highly recommended that you purchase a trusted SSL certificate from a top certificate authority. Properly configuring HTTPS base URLs is also vital after SSL installation.
Implementing encryption with SSL protects your customers’ sensitive information and legitimizes your online business. So, if you haven’t already, make adding SSL a top priority for your live Magento 2 website.
FAQs about Installing SSL on Magento 2
Is SSL required for Magento 2?
Yes, adding an SSL certificate is mandatory for any live Magento 2 website to encrypt connections, protect sensitive data, comply with standards, and gain customer trust. All production Magento sites must run over HTTPS.
Can you use a self-signed SSL certificate?
Magento 2 allows the generation of self-signed SSL certificates. While useful in development, self-signed SSLs are not trusted by browsers and users compared to commercial certificates from trusted CAs.
How do I renew an SSL certificate in Magento 2?
When your SSL certificate is nearing expiry or expired, you need to renew an SSL certificate from your provider following the same process. Then, upload new files in Magento admin, update the web server config, and you’re done.
Should I use single or wildcard SSL for Magento 2?
A single-domain SSL is cheaper and secures the main domain. A Wildcard SSL certificate secures unlimited subdomains, allowing the use of CDNs. Choose based on your specific needs.
Where do I place the SSL files for Magento 2?
The certificate, private key, and intermediate certificate files should be placed in a folder like /etc/ssl/certs/ in your Apache or Nginx web server.
How do I test if SSL is working in Magento 2?
Clear caches and access your Magento site frontend over HTTPS in the browser. Check for the Tune icon, switch the protocol to HTTPS, and check for the absence of certificate warnings to confirm SSL is active.
Can you have HTTP and HTTPS in Magento 2?
It is recommended that the site be accessible only via HTTPS after adding an SSL certificate. Redirection can be set up from HTTP to HTTPS to force SSL usage, enhancing security.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
