This page demonstrates the complete flow of the Trustico® CaaS cPanel plugin from a fresh installation through to SSL Certificate issuance, verification, and the update process. Every step shown here was performed on a live test server using a real Sectigo Domain Validation (DV) SSL Certificate with Wildcard and DNS-01 validation.
Purpose : This walkthrough serves as a reference for server administrators, support teams, and anyone evaluating the plugin. It documents the expected behaviour at every stage so you know exactly what to expect.
Step 1 : Installation
The plugin is installed on a cPanel server via a single command run as root over Secure Shell (SSH). The installer downloads the plugin package from the Trustico® content delivery network, verifies the ACME client integrity using SHA-256 checksum verification, copies all files into the cPanel theme directory, registers the plugin, and rebuilds the icon sprites.
curl -sLO https://cdn.trustico.com/caas/cpanel/install.sh && sudo bash install.sh
The installer output confirms each step with a summary showing the plugin version, ACME client version, and the location in cPanel where customers can find the plugin.
After installation, the plugin appears under the "Security" section in every cPanel account on the server. No per-user setup is required.
Step 2 : Opening the Plugin
When a customer opens the plugin for the first time, they see the Trustico® Certificate as a Service page with a single dropdown labeled "Select Your Virtual Host." No other sections are visible until a virtual host is selected.
The page is clean and uncluttered. There are no previous job status indicators, no stale data, and no error messages. The customer link at the top directs visitors to the commercial SSL Certificate advantages page on the Trustico® website.
Step 3 : Selecting a Virtual Host
When the customer selects their virtual host from the dropdown, three coverage tables appear below showing the current SSL Certificate status for that domain.
Virtual Host Status
The Virtual Host Status table shows the SSL Certificate currently installed on the virtual host. It displays the domain name, the issuer (Certificate Authority), the expiry date with the number of days remaining, and the overall status. A green "Active" label indicates the SSL Certificate is valid and currently protecting the domain.
Website Domains
The Website Domains table shows all domain names associated with the virtual host that visitors use to access the website. Each row has a checkbox for selecting which domain names to include on the new SSL Certificate. The base domain (example.com) is checked by default.
The Status column shows whether each domain name is covered by the currently installed SSL Certificate. "Active" in green means the domain is protected. "Inactive" in gray means it is not covered.
Service Domains
Below the Website Domains table, a Service Domains table shows cPanel service subdomains such as cpanel, webmail, webdisk, cpcontacts, cpcalendars, and autodiscover. These are automatically secured when the installed SSL Certificate includes a Wildcard Subject Alternative Name (SAN).
Step 4 : Selecting Domain Coverage
For this demonstration, we selected both the base domain (site-test-01.trustico.dev) and the Wildcard entry (*.site-test-01.trustico.dev). Checking the Wildcard checkbox automatically switches the Validation Method dropdown to "DNS-01 for All Domains" and locks it, because Wildcard SSL Certificates require DNS-01 validation.
The Wildcard entry covers all subdomains under the base domain with a single SSL Certificate. Combined with the base domain, this provides complete coverage for the entire virtual host including all service domains.
Step 5 : Completing the Form
The retrieval form has five sections that the customer completes before submitting.
SSL Certificate Type
The customer selects the SSL Certificate type matching their Trustico® order. Four options are available covering Trustico® and Sectigo branded Domain Validation (DV) and Organization Validation (OV) products. The EAB credentials are tied to the specific type purchased, so the selection must match.
Validation Method
The Validation Method was automatically set to "DNS-01 for All Domains" when the Wildcard checkbox was selected. For non-Wildcard requests, the default is "Automatic (Recommended)" which uses HTTP-01 for standard domains.
Processing Timeout
The Processing Timeout defaults to 24 Hours (Recommended). This is the maximum time the background worker will wait for the Certificate Authority (CA) to complete validation. DNS-01 validation typically completes within a few minutes, but the generous default ensures the request is not terminated prematurely if the Certificate Authority is experiencing delays.
EAB Credentials
The customer enters their EAB Key ID and EAB HMAC Key from their Trustico® order confirmation e-mail. The HMAC Key field is masked for security. These credentials link the SSL Certificate request to the customer's purchase.
Issuance and AutoSSL Options
SSL Certificate Retrieval defaults to "Standard Issuance (Recommended)" which reinstalls an existing valid SSL Certificate if available, avoiding unnecessary reissuance. "Force Issuance" retrieves a completely new SSL Certificate and Private Key from the Certificate Authority.
cPanel AutoSSL defaults to "Enable Trustico® CaaS Primarily (Recommended)" which excludes the virtual host domains from cPanel AutoSSL, ensuring the paid Trustico® SSL Certificate is not overwritten by a free alternative.
Step 6 : Submission and Processing
After clicking "Retrieve SSL Certificate," the form is replaced by the SSL Certificate Request Status section. The coverage tables are hidden to focus attention on the progress indicator.
The status section shows a pulsing blue indicator with the current step and a running timer. Initially it displays "Requesting SSL Certificate (DNS-01 Validation)..." as the background worker registers the ACME account, creates DNS TXT records for domain validation, and triggers the Certificate Authority to begin verification.
An "Abort" button allows the customer to cancel the request at any time. A "Show Details" button provides access to the technical request log for troubleshooting.
Waiting for Validation
After approximately 30 seconds, the status message changes to "Waiting for the Certificate Authority (CA) to Complete Validation." This indicates that the validation request has been sent and the plugin is polling the Certificate Authority for a result.
The timer continues counting. The customer can close the page at any time during processing. When they return to the plugin, it automatically detects the active request and resumes showing progress.
Polling and Re-Trigger
The plugin polls the Certificate Authority at carefully chosen intervals. For the first 10 minutes, it checks every 60 seconds to allow time for DNS record propagation. After 10 minutes, polling extends to every 5 minutes, and after 40 minutes total, to every 10 minutes.
If the Certificate Authority has not validated the domain within the first 10 minutes, the plugin automatically re-triggers the validation request on each subsequent poll. This addresses a known behaviour where some Certificate Authorities attempt DNS validation once on the initial trigger and do not automatically retry if the DNS record was not yet propagated.
Step 7 : Completion
When the Certificate Authority validates all domain names and issues the SSL Certificate, the status changes to a green "Complete" indicator with the message "Success! SSL Certificate Installed - Automatic Reissue Management Configured - Finished."
At this point, the SSL Certificate has been installed on the virtual host and automatic reissue has been configured. A daily scheduled task will check the SSL Certificate and reissue it before expiry without any action from the customer.
In this demonstration, the entire process from submission to installed SSL Certificate took approximately two and a half minutes. The Certificate Authority validated both the base domain and the Wildcard domain on the first poll after the DNS propagation window.
Step 8 : Dismiss and Verification
Clicking the "Dismiss" button hides the status section and restores the coverage tables. The tables now show the newly installed SSL Certificate with updated issuer, expiry date, and "Active" status labels across all covered domain names.
The Virtual Host Status table confirms the new SSL Certificate is installed with 90 days remaining. All Website Domains and Service Domains covered by the Wildcard show "Active" status, confirming full coverage.
Step 9 : Page Refresh
Refreshing the page after dismissing a completed job returns to a clean state. The dropdown resets to "Select Virtual Host" and no stale job data is displayed. This confirms that the dismiss operation correctly cleaned up the job status on the server.
Selecting the virtual host again shows the coverage tables with the current SSL Certificate status, ready for the customer to submit a new request if needed.
Step 10 : SSL Certificate Verification
The installed SSL Certificate can be independently verified using standard tools. The SSL Certificate shows the correct Subject Common Name, the Sectigo issuer, the expected validity period (90 days), and both Subject Alternative Names covering the base domain and the Wildcard.
The website immediately begins serving HTTPS with the new SSL Certificate. No server restart or manual configuration is required.
Step 11 : Plugin Updates
When a new version of the plugin is released, server administrators update by re-running the same installation command. The installer overwrites the plugin files and the shared ACME client with the new version while preserving all per-user data.
curl -sLO https://cdn.trustico.com/caas/cpanel/install.sh && sudo bash install.sh
After an update, all existing SSL Certificates remain installed, renewal schedules continue operating, and per-user configuration is untouched. The ACME client shared by all users is updated to the new version, and all future renewals use the updated client automatically.
No per-user action is required after an update. Customers do not need to re-enter credentials or reconfigure anything.
Automatic Reissue
After the first successful SSL Certificate retrieval, the plugin configures a daily scheduled task for the cPanel user. This task checks all SSL Certificates managed by the plugin and reissues any that are approaching their expiry date.
The reissue process uses the same ACME account and credentials from the original issuance. No manual intervention is required. When a reissue occurs, the new SSL Certificate is automatically installed on the virtual host, replacing the expiring one.
This is particularly important as the industry transitions to shorter SSL Certificate validity periods. With automated reissue, customers are protected regardless of how frequently their SSL Certificates need to be replaced.
Result : From a fresh server installation to a fully validated, installed, and automatically managed Wildcard SSL Certificate in under three minutes. The plugin handles registration, validation, installation, and ongoing reissue with no manual steps beyond the initial form submission.
