Installing an SSL Certificate in LiteSpeed Web Server (Native)

In a control panel environment, LSWS will read the Apache configuration. As long as you have set up SSL certificates correctly in Apache config, LSWS should work the same way.

While in LSWS (native), or while using OpenLiteSpeed, you will need to set up SSL certificate settings in the LSWS Web Admin configuration. This wiki explains how to do so, assuming you have already gotten your SSL certificate (either self-signed, or signed by a CA).

Create a 443 Lister

Create a listener with Secure set to Yes. The official Port for SSL is 443, but another port can be used instead.

Set up the SSL Certificate

Self-Signed

Click on the newly created listener, and go to the SSL settings tab. Set the self-signed Private Key File and Certificate File to the location of the key file. If you don't have the self-signed key pair yet, please follow these instructions to create a private key, and follow these instructions to create a certificate.

Certificate-Authority-Signed

A certificate signed by a CA can come in one of two ways:

  1. with separate intermediate and server/domain certificates
  2. as a chained certificate with server/domain and intermediate certificates in chained order

An intermediate CA certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. An intermediate certificate is signed by one of the root certificates in a web browser, creating a trust relationship among the certificates that allows the web browser to trust your issued certificate.

Intermediate certificates and server certificate separately

When you have separate intermediate certificates and server certificate, you can set Private Key File and Certificate File to the location of the ky file. Then, use either CA Certificate Path to define the location of multi intermediate certificates, or CA Certificate File to define the intermediate certificate if there is only one. CA Certificate Path and CA Certificate File are equivalent, and you just need to use one of them, not both.

Chained certificate

If the certificate is a chained certificate, the file that stores the certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA.

You can also combine separate intermediate certificates and a server certificate into a chained certificate yourself and set as above. for example: cat yourdomain.cert ca.cert > chained.pem

Testing

If you use a self-signed certificate, the browser will prompt you to accept the certificate. This is normal. If you use a certificate signed by a CA, the browser will accept the certificate automatically without bothering you.

Browser Testing

To test SSL certificates, visit your site https://yourdomain.com and you will see the green lock sign, which implies the HTTPS certificate is working.

Online SSL Checker

You can also use an online SSL checker, such as Qualys SSL Server Test, to verify an SSL certificate's settings.

OpenSSL Command Line

Alternatively, you can use the Linux command line tool:

openssl s_client -connect example.com:443 -servername example.com

If the certificate is valid a Verify return code: 0 (ok) line can be observed in the command output. To check the expiration date of the certificate, run the following command:

# echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
notBefore=Feb 14 00:00:00 2017 GMT
notAfter=Feb 14 23:59:59 2018 GMT
 
litespeed_wiki/config/ssl-cert-install.txt · Last modified: 2018/09/17 17:31 by Michael Alegre