Installing a Signed SSL Certificate in Webmin
Introduction
This guide explains how to install a signed SSL/TLS certificate in Webmin for securing the Webmin management interface itself or hosted services managed through Webmin.
The document is intended for DevOps engineers, system administrators, and IT teams managing Linux servers in municipal, provincial, or enterprise environments.
Problem
After receiving a signed SSL certificate from a Certificate Authority (CA), administrators often need to replace the default self-signed certificate used by Webmin. Incorrect installation can result in:
- Browser security warnings
- Invalid certificate chain errors
- Failed HTTPS connections
- Service startup issues
A correct installation ensures encrypted and trusted access to the Webmin interface.
Prerequisites
Before starting, ensure you have:
- Root or sudo access to the server
- A signed SSL certificate (
certificate.crt) - The private key used during CSR generation (
private.key) - Intermediate CA bundle if provided (
ca-bundle.crt) - Webmin installed and running
Typical certificate file formats:
certificate.crt
private.key
ca-bundle.crtVerify Certificate Files
Before installation, validate the certificate contents.
Check the certificate
openssl x509 -in certificate.crt -text -nooutVerify the private key
openssl rsa -in private.key -checkVerify modulus match
The certificate and private key must match.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5The hashes must be identical.
Combine Certificate Chain (Recommended)
Some Certificate Authorities provide intermediate certificates separately.
Create a full chain file:
cat certificate.crt ca-bundle.crt > fullchain.crtInstalling the Certificate in Webmin
Step 1 — Log in to Webmin
Open your browser:
https://your-server:10000Authenticate with an administrative account.
Step 2 — Navigate to SSL Encryption Settings
Go to:
Webmin → Webmin Configuration → SSL Encryption[Placeholder Screenshot — Webmin SSL Encryption menu]
Step 3 — Select Existing Certificate and Key
Under Private key file:
/private.keyUnder Certificate file:
/fullchain.crtExample:
/etc/ssl/webmin/private.key
/etc/ssl/webmin/fullchain.crt[Placeholder Screenshot — Certificate and private key upload form]
Step 4 — Save Configuration
Click:
SaveWebmin will restart its internal miniserv web server automatically.
Alternative: Install via Command Line
You can also configure Webmin certificates directly.
Copy certificate files
mkdir -p /etc/webmin/ssl
cp private.key /etc/webmin/ssl/
cp fullchain.crt /etc/webmin/ssl/Edit Webmin miniserv configuration
Open:
/etc/webmin/miniserv.confUpdate:
keyfile=/etc/webmin/ssl/private.key
certfile=/etc/webmin/ssl/fullchain.crtSave the file.
Restart Webmin
systemctl restart webminOr on older systems:
service webmin restartVerify SSL Installation
Test using OpenSSL:
openssl s_client -connect your-server:10000 -showcertsExpected output should include:
Verify return code: 0 (ok)You can also validate externally using:
- SSL Labs Server Test
- Browser certificate inspection
Common Issues
Certificate Does Not Match Private Key
Error:
SSL routines:X509_check_private_key:key values mismatchCause:
- Wrong private key selected
Solution:
- Use the original key generated during CSR creation
Incomplete Certificate Chain
Symptoms:
- Browser shows “certificate not trusted”
- Intermediate CA missing
Solution:
- Use a combined
fullchain.crt
Webmin Fails to Restart
Check logs:
journalctl -u webminOr:
cat /var/webmin/miniserv.errorSecurity Recommendations
Restrict Webmin Access
Allow only trusted management networks:
Example firewall rule:
ufw allow from 192.168.1.0/24 to any port 10000Disable Weak Protocols
Use modern TLS versions only.
Inside:
Webmin → Webmin Configuration → SSL EncryptionDisable:
- TLS 1.0
- TLS 1.1
Enable:
- TLS 1.2
- TLS 1.3
Conclusion
Installing a signed SSL certificate in Webmin ensures trusted and encrypted administrative access to your Linux systems. Correct certificate chain handling and key validation are essential to avoid browser warnings and service interruptions.
For production environments, always:
- Use trusted CA-issued certificates
- Configure full certificate chains
- Restrict management interface exposure
- Regularly renew certificates before expiration