> ## Documentation Index
> Fetch the complete documentation index at: https://help.noxity.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Keys

> The private keys stored on the server. Generate a new one, upload an existing one, edit the description, or delete unused keys.

Every SSL certificate has a matching private key. The Keys tab is the inventory of those private keys, kept separate from the certs themselves so cPanel can swap one without losing the other.

Open it from cPanel home → **Security** → **SSL/TLS Certificates** → **Keys**.

<Frame caption="Keys tab with the Keys on Server table">
  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/ssl-tls-certificates/keys/listing-light.png" alt="Keys tab listing every private key with Edit and Delete actions" className="block dark:hidden" />

  <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/ssl-tls-certificates/keys/listing-dark.png" alt="Keys tab listing every private key with Edit and Delete actions" className="hidden dark:block" />
</Frame>

## What's in the list

Each row is one private key, with:

* **Description.** A short label (e.g. **CloudFlare Origin Certificate and aktivnistudenti.si**). Freely editable.
* **ID.** A short hash that cPanel uses to match the key to a certificate or CSR.
* **Key Type.** RSA 2048-bit / 4096-bit, ECDSA P-256 / P-384.
* **Actions.** Edit, Delete.

The **Edit** action only lets you change the description; the key bytes themselves are immutable. **Delete** removes the key from the server.

<Warning>
  Don't delete a key that matches an installed certificate. Without the key, the certificate can't decrypt incoming traffic and HTTPS breaks on the domain. cPanel doesn't always warn before deletion.
</Warning>

## Generate a new private key

<Steps>
  <Step title="Click Generate a Private Key">
    Top right of the Keys tab.

    <Frame>
      <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/ssl-tls-certificates/keys/generate-light.png" alt="Generate a New Private Key form" className="block dark:hidden" />

      <img src="https://mintlify.s3.us-west-1.amazonaws.com/noxity/images/cpanel/security-settings/ssl-tls-certificates/keys/generate-dark.png" alt="Generate a New Private Key form" className="hidden dark:block" />
    </Frame>
  </Step>

  <Step title="Pick the key type">
    `RSA 2,048-bit` is the default and works with every CA and every browser. `RSA 4,096-bit` is slower but more conservative. `ECDSA P-256` and `ECDSA P-384` are smaller and faster but a few legacy clients don't accept them; safe choices for new sites today.
  </Step>

  <Step title="Add a description (optional)">
    Helps you find this key later. "DigiCert OV cert for shop.mybrand.com" beats "key-2026-04".
  </Step>

  <Step title="Click Generate">
    cPanel writes the key to the server and shows it in the list. The matching public key (and certs that use it) live in the [Certificates tab](/web-hosting/cpanel/security-settings/ssl-tls-certificates/certificates) and CSR forms.
  </Step>
</Steps>

## Upload an existing private key

If you already have a private key from a CSR you generated elsewhere, paste it here so cPanel can match it with the eventual certificate.

<Steps>
  <Step title="Click Upload a Private Key">
    Top right of the Keys tab.
  </Step>

  <Step title="Paste or upload the key">
    Either paste the contents of your `.key` file into the text area, or use the file picker to select the `.key` directly.

    Make sure it's a private key, not a certificate. The block starts with `-----BEGIN PRIVATE KEY-----` or `-----BEGIN RSA PRIVATE KEY-----`. If it's encrypted (`-----BEGIN ENCRYPTED PRIVATE KEY-----`), you'll need to decrypt it first; cPanel doesn't support encrypted keys.
  </Step>

  <Step title="Add a description (optional)">
    Same convention as on generation.
  </Step>

  <Step title="Click Save">
    The key shows up in the list. It can now be paired with a certificate at install time.
  </Step>
</Steps>

## How keys, certs, and installs fit together

| Tab                                                                                     | What it stores                                                                                    |
| --------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
| Keys                                                                                    | The private key. One per cert, generated or uploaded.                                             |
| [Certificates](/web-hosting/cpanel/security-settings/ssl-tls-certificates/certificates) | The signed cert body. Issued by a CA (or self-signed). References a key by ID.                    |
| [Installation](/web-hosting/cpanel/security-settings/ssl-tls-certificates/installation) | The cert + key + CA bundle pinned to a specific domain. The thing the web server actually serves. |

Generating in this tab doesn't issue a certificate or install anything. It just makes a key the next CSR or self-signed cert can use.

## Common issues

<AccordionGroup>
  <Accordion title="&#x22;Key does not match certificate&#x22;">
    The cert was issued against a different key. Either upload the matching key (the one you used to generate the original CSR), or regenerate everything from scratch in the [Wizard](/web-hosting/cpanel/security-settings/ssl-tls-certificates/wizard).
  </Accordion>

  <Accordion title="My encrypted key won't upload">
    Decrypt it first. On a Linux box with OpenSSL: `openssl rsa -in encrypted.key -out decrypted.key`. cPanel stores keys unencrypted on disk, secured by filesystem permissions.
  </Accordion>

  <Accordion title="ECDSA key, but the CA only signed an RSA cert">
    You sent an RSA CSR, the CA can only return an RSA-signed cert. To use ECDSA end-to-end, generate an ECDSA key here, generate a new CSR against it on the [Requests tab](/web-hosting/cpanel/security-settings/ssl-tls-certificates/requests), submit that to the CA.
  </Accordion>
</AccordionGroup>

## Need a hand?

<CardGroup cols={2}>
  <Card title="Open a ticket" icon="life-ring" href="https://members.noxity.io/submitticket.php">
    Best for anything that needs an account check or a config change on our end.
  </Card>

  <Card title="Live chat" icon="messages" href="https://noxity.io/contact">
    Faster for quick questions during business hours.
  </Card>
</CardGroup>
