An SSL/TLS certificate encrypts the connection between your visitors' browsers and your server, turning http:// into https://. It protects login credentials, payment data, and form submissions, and it's a baseline expectation for any modern site — browsers flag plain HTTP pages as "Not secure," and search engines treat HTTPS as a ranking signal.
This tutorial covers installing a certificate three common ways — cPanel AutoSSL, Let's Encrypt on Nginx, and Let's Encrypt on Apache — then forcing every request onto HTTPS and enabling HSTS. The steps work on any standards-compliant host, including Skyline Cloud hosting.
Before you start
Make sure of the following:
- DNS resolves to your server. Your domain's A (and AAAA, if you use IPv6) record must point to the server's public IP. Certificate authorities verify domain control over ports 80/443, so this must be live first.
- Ports 80 and 443 are open in your firewall and security group.
- You have shell or panel access. cPanel users need the control panel; VPS and dedicated users need SSH with
sudo.
You can check where your domain resolves with:
dig +short A example.sa
Choosing a certificate type
| Type | Validation | Best for |
|---|---|---|
| Domain Validated (DV) | Domain control only | Blogs, small business, most sites |
| Organization Validated (OV) | Business identity check | Corporate sites |
| Extended Validation (EV) | Full legal vetting | Banks, large e-commerce |
| Wildcard | Covers *.example.sa |
Many subdomains |
For most sites a free DV certificate from Let's Encrypt is sufficient. If you need OV/EV or a wildcard with guaranteed support, Skyline issues managed certificates as part of your hosting plan.
Option 1 — cPanel with AutoSSL (easiest)
If your site runs on shared or managed cPanel hosting, AutoSSL handles everything automatically.
- Log in to cPanel.
- Under Security, open SSL/TLS Status.
- Tick the domains you want covered and click Run AutoSSL.
- Within a few minutes the padlock turns green and a free DV certificate is installed and set to auto-renew.
To install a certificate you bought elsewhere, go to SSL/TLS → Manage SSL sites, paste the certificate (CRT), private key (KEY), and CA bundle, then click Install Certificate.
Option 2 — Let's Encrypt on Nginx (VPS / cloud server)
On a cloud server or VPS, use Certbot. On Ubuntu/Debian:
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
Issue and auto-configure the certificate in one command:
sudo certbot --nginx -d example.sa -d www.example.sa
Certbot validates the domain, obtains the certificate, edits your server block, and offers to set up the HTTPS redirect. Choose 2: Redirect when prompted to force HTTPS automatically.
If you prefer to wire it up manually, your server block should reference the issued files:
server {
listen 443 ssl;
server_name example.sa www.example.sa;
ssl_certificate /etc/letsencrypt/live/example.sa/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.sa/privkey.pem;
# Modern TLS only
ssl_protocols TLSv1.2 TLSv1.3;
root /var/www/example.sa;
index index.html index.php;
}
Test and reload:
sudo nginx -t && sudo systemctl reload nginx
Option 3 — Let's Encrypt on Apache
Install the Apache plugin:
sudo apt install certbot python3-certbot-apache -y
sudo certbot --apache -d example.sa -d www.example.sa
Certbot creates an SSL virtual host and, when you choose redirect, adds the HTTPS rule for you. The generated <VirtualHost *:443> block references SSLCertificateFile and SSLCertificateKeyFile under /etc/letsencrypt/live/.
Forcing HTTPS
Installing a certificate doesn't stop visitors from reaching the insecure http:// version. You must redirect all HTTP traffic to HTTPS with a permanent (301) redirect.
Nginx — add a dedicated port-80 block:
server {
listen 80;
server_name example.sa www.example.sa;
return 301 https://$host$request_uri;
}
Apache — in your .htaccess or virtual host:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
cPanel — under Domains → Force HTTPS Redirect, toggle the switch on for each domain.
Enable HSTS
HTTP Strict Transport Security tells browsers to only connect over HTTPS, eliminating the brief insecure first request and protecting against downgrade attacks. Add the header once your redirect is confirmed working.
Nginx (inside the 443 server block):
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Apache:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Start with a shorter max-age while testing, then raise it. Only add includeSubDomains once every subdomain serves HTTPS.
Verify everything works
- Visit
http://example.sa— it should redirect tohttps://. - Confirm the padlock and a valid certificate in the browser.
- Check the redirect and headers from the terminal:
curl -sI http://example.sa | grep -i location
curl -sI https://example.sa | grep -i strict-transport
- Run an external scan (such as SSL Labs) to confirm an A grade, correct chain, and no mixed content.
If pages still show "Not secure," look for mixed content — assets (images, scripts, CSS) hard-coded with http://. Update them to https:// or protocol-relative URLs.
Renewal
Let's Encrypt certificates last 90 days. Certbot installs a systemd timer or cron job automatically; confirm it with:
sudo certbot renew --dry-run
cPanel AutoSSL and Skyline managed certificates renew on their own, so there's nothing to track.
Data residency note
If your audience is in Saudi Arabia or the GCC, hosting and terminating TLS in-Kingdom keeps traffic and certificate keys on infrastructure aligned with PDPL, NCA, and SDAIA requirements — with local Arabic support if anything needs attention. That's the model behind Skyline's cloud and business email hosting. For more on certificate types, chains, and troubleshooting, see our SSL certificates resource hub.
Get started
Spin up a cloud server, web hosting, or managed WordPress plan with SSL included and in-Kingdom data residency. Create your account on Skyline Cloud and secure your site today.
Comments
0 total · 0 threads