Skip to main content
Every SSL certificate has a matching private key. The Keys tab is the inventory of those private keys, kept separate from the certs themselves so cPanel can swap one without losing the other. Open it from cPanel home → SecuritySSL/TLS CertificatesKeys.
Keys tab listing every private key with Edit and Delete actions

What’s in the list

Each row is one private key, with:
  • Description. A short label (e.g. CloudFlare Origin Certificate and aktivnistudenti.si). Freely editable.
  • ID. A short hash that cPanel uses to match the key to a certificate or CSR.
  • Key Type. RSA 2048-bit / 4096-bit, ECDSA P-256 / P-384.
  • Actions. Edit, Delete.
The Edit action only lets you change the description; the key bytes themselves are immutable. Delete removes the key from the server.
Don’t delete a key that matches an installed certificate. Without the key, the certificate can’t decrypt incoming traffic and HTTPS breaks on the domain. cPanel doesn’t always warn before deletion.

Generate a new private key

1

Click Generate a Private Key

Top right of the Keys tab.
Generate a New Private Key form
2

Pick the key type

RSA 2,048-bit is the default and works with every CA and every browser. RSA 4,096-bit is slower but more conservative. ECDSA P-256 and ECDSA P-384 are smaller and faster but a few legacy clients don’t accept them; safe choices for new sites today.
3

Add a description (optional)

Helps you find this key later. “DigiCert OV cert for shop.mybrand.com” beats “key-2026-04”.
4

Click Generate

cPanel writes the key to the server and shows it in the list. The matching public key (and certs that use it) live in the Certificates tab and CSR forms.

Upload an existing private key

If you already have a private key from a CSR you generated elsewhere, paste it here so cPanel can match it with the eventual certificate.
1

Click Upload a Private Key

Top right of the Keys tab.
2

Paste or upload the key

Either paste the contents of your .key file into the text area, or use the file picker to select the .key directly.Make sure it’s a private key, not a certificate. The block starts with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----. If it’s encrypted (-----BEGIN ENCRYPTED PRIVATE KEY-----), you’ll need to decrypt it first; cPanel doesn’t support encrypted keys.
3

Add a description (optional)

Same convention as on generation.
4

Click Save

The key shows up in the list. It can now be paired with a certificate at install time.

How keys, certs, and installs fit together

TabWhat it stores
KeysThe private key. One per cert, generated or uploaded.
CertificatesThe signed cert body. Issued by a CA (or self-signed). References a key by ID.
InstallationThe cert + key + CA bundle pinned to a specific domain. The thing the web server actually serves.
Generating in this tab doesn’t issue a certificate or install anything. It just makes a key the next CSR or self-signed cert can use.

Common issues

The cert was issued against a different key. Either upload the matching key (the one you used to generate the original CSR), or regenerate everything from scratch in the Wizard.
Decrypt it first. On a Linux box with OpenSSL: openssl rsa -in encrypted.key -out decrypted.key. cPanel stores keys unencrypted on disk, secured by filesystem permissions.
You sent an RSA CSR, the CA can only return an RSA-signed cert. To use ECDSA end-to-end, generate an ECDSA key here, generate a new CSR against it on the Requests tab, submit that to the CA.

Need a hand?