HostBible includes free Auto‑SSL for standard setups, but if you need an OV/EV certificate, a paid wildcard, or a specific SAN (multi-domain) configuration, you can install your own certificate using BYOC.
What you’ll need (before you start)
Have these items ready:
Domain list to secure
Example:
example.com,www.example.com,api.example.comFor wildcard:
*.example.com(note: wildcard usually does not cover the apex/root domainexample.com— you typically include both)
A CSR (Certificate Signing Request)
Begins with:
-----BEGIN CERTIFICATE REQUEST-----
The private key that matches the CSR
Begins with one of:
-----BEGIN PRIVATE KEY-----(PKCS#8)-----BEGIN RSA PRIVATE KEY-----(RSA)-----BEGIN EC PRIVATE KEY-----(ECDSA)
The issued certificate from your CA (your “server certificate”)
Begins with:
-----BEGIN CERTIFICATE-----
The CA bundle / intermediate chain
One or more
-----BEGIN CERTIFICATE-----blocks (intermediate certs)
Important: HostBible BYOC requires the private key. Keep it secure and share it only with trusted admins.
File formats HostBible BYOC accepts
In most BYOC forms, HostBible expects PEM-formatted values (the base64 blocks with BEGIN/END lines). If your files are .crt, .pem, .cer, .key, that’s usually fine as long as the contents are PEM.
If your CA delivered a DER certificate (binary .cer), convert it to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
If your CA delivered a PFX/P12 file, see the “PFX/P12 extraction” section below.
Step 1 — Generate a CSR and private key (with SAN / wildcard support)
If you already have a CSR and key, skip to Step 2.
Option A (recommended): OpenSSL config file (best for multiple SANs)
Create a file called
csr.conf:
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = dn req_extensions = req_ext [ dn ] C = US ST = State L = City O = Example Company LLC CN = example.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = api.example.com DNS.4 = *.example.com
Generate the private key (RSA 2048):
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out example.com.key
Generate the CSR:
openssl req -new -key example.com.key -out example.com.csr -config csr.conf
Option B: One-liner CSR (good for simple SAN lists)
This works on OpenSSL versions that support -addext:
openssl req -new -newkey rsa:2048 -nodes \ -keyout example.com.key \ -out example.com.csr \ -subj "/C=US/ST=State/L=City/O=Example Company LLC/CN=example.com" \ -addext "subjectAltName=DNS:example.com,DNS:www.example.com,DNS:*.example.com"
RSA vs ECDSA keys
RSA 2048 is widely compatible.
ECDSA (P-256) is also common, but confirm your CA supports it for your certificate type.
Step 2 — Submit the CSR to your Certificate Authority (CA)
When ordering/reissuing your certificate with your CA:
Paste the CSR exactly (including the
BEGIN/ENDlines).Confirm the SAN list is correct (all required hostnames included).
Complete your CA’s validation steps.
Download the issued certificate and the intermediate chain (CA bundle).
Step 3 — Make sure your certificate matches your private key
A very common install failure is “key mismatch.”
Quick RSA check (modulus comparison)
openssl rsa -noout -modulus -in example.com.key | openssl md5 openssl x509 -noout -modulus -in example.com.crt | openssl md5
If the hashes match, the key and certificate match.
Key/cert public key check (works for RSA or ECDSA)
openssl pkey -in example.com.key -pubout | openssl sha256 openssl x509 -in example.com.crt -pubkey -noout | openssl sha256
If the hashes match, they belong together.
Confirm SANs are present
openssl x509 -in example.com.crt -noout -text
Look for “Subject Alternative Name” and verify the hostnames you need.
Step 4 — Install your certificate in HostBible (BYOC)
In your HostBible dashboard, open the SSL/TLS settings for the site/domain and choose Bring Your Own Certificate (BYOC). You’ll typically see fields like:
Certificate (CRT / PEM)
Private Key (KEY)
CA Bundle (Intermediate / Chain)
What to paste in each field
1) Certificate (server certificate only)
Paste the single certificate issued for your domain/SANs:
-----BEGIN CERTIFICATE----- (Your certificate) -----END CERTIFICATE-----
2) Private Key
Paste the matching private key:
-----BEGIN PRIVATE KEY----- (Your private key) -----END PRIVATE KEY-----
3) CA Bundle (intermediate chain)
Paste only the intermediate certificates, in order from closest-to-your-domain upward:
-----BEGIN CERTIFICATE----- (Intermediate CA #1) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate CA #2, if provided) -----END CERTIFICATE-----
Tip: Many CAs provide a file named like ca-bundle, intermediate, chain, or similar. That content goes into the CA Bundle field.
If HostBible only provides ONE certificate field
Some BYOC forms use a single “Certificate” field and expect a full chain. In that case paste:
Server certificate first, then
Intermediate(s) immediately after it
(Private key still goes in the private key field.)
Save / deploy
Save the BYOC settings. After deployment, your site should start serving the new certificate.
Step 5 — Verify the certificate is live
From your computer, check what’s currently served:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null \ | openssl x509 -noout -subject -issuer -dates
Confirm:
Subject/SANs match what you expect
Issuer is your CA
Expiration date is correct
Renewal and replacement (no surprises)
BYOC certificates are renewed with your CA. After you renew/reissue with the CA, you must replace the certificate on HostBible with the new one.
Recommended renewal workflow
Renew/reissue at your CA (before the certificate expires).
Decide whether to reuse your existing private key or generate a new one:
Best practice: generate a new private key + CSR for renewals/replacements.
If your CA reissues based on the same CSR, you’ll keep the same private key.
Download the new:
Server certificate
Updated CA bundle/chain (if the CA provides a new one)
In HostBible BYOC:
Paste the new certificate
Paste the correct CA bundle
Paste the matching private key (new key if you generated a new CSR)
Verify again with
openssl s_client.
What changes during renewal?
Certificate: always changes
CA bundle: sometimes changes (depends on CA/intermediate rotation)
Private key: changes only if you generated a new CSR/key
Common BYOC issues (and how to fix them)
“Private key does not match certificate”
You’re pasting the wrong key, or you generated a new CSR but kept the old key.
Fix: verify matching using the commands in Step 3, then upload the correct pair.
Browser shows “not trusted” or chain errors
Usually caused by a missing or incorrect intermediate chain.
Fix: upload the correct CA Bundle (intermediates). Make sure it’s PEM blocks and in the proper order.
Your certificate doesn’t cover the right hostname
Fix: reissue with the CA using a CSR that includes the correct SANs.
Remember:
*.example.comtypically doesn’t coverexample.com(include both if needed).
Your private key has a passphrase and won’t upload
Many platforms require an unencrypted private key for automated TLS.
Convert to an unencrypted key (you’ll be prompted for the passphrase):
openssl pkey -in encrypted.key -out unencrypted.key
You only have a PFX/P12 file
Extract PEM files like this:
# Private key (unencrypted) openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.key # Server certificate openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt # CA bundle / intermediates openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out ca-bundle.crt
Then paste each into the matching HostBible BYOC field.
Need help?
If you run into installation errors (chain issues, key mismatch, or SAN questions), contact HostBible Support and include:
The domain name
The certificate expiration date
The error message you’re seeing (screenshots help)
(Optional) Your public certificate and CA bundle (avoid sharing the private key unless truly required)
You can reach HostBible at [email protected].