Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:ssl-cert-install [2016/08/11 18:00] Jackson Zhang |
litespeed_wiki:config:ssl-cert-install [2018/09/17 17:31] (current) Michael Alegre [Installing an SSL Certificate in LiteSpeed Web Server Native Mode] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== How to install a SSL certificate? ====== | + | ====== Installing an SSL Certificate in LiteSpeed Web Server (Native) ====== |
| - | After you get the SSL certificate, either self signed or signed by a CA, you can configure your server to use the certificate. Please follow the following steps: | + | |
| - | - Create a listener with Secure set to Yes. The official port for SSL is 443, but other port can be used as well. | + | In a control panel environment, LSWS will read the Apache configuration. As long as you have set up SSL certificates correctly in Apache config, LSWS should work the same way. |
| - | - Click on the newly created listener, then go to the SSL Settings. Then set the Private Key File to where the key file is. | + | |
| - | - Then set the Certificate File location, this step is different for self signed certificate and the one signed by a CA. | + | |
| - | * For self signed certificate, you only need to set "Certificate File". | + | |
| - | * For a certificate signed by CA, Usually, it comes with a intermediate certificate file, this certificate is signed by one of the root certificate in a web browser, so your certificate will be trusted by a web browser because the trust relationship among those certificates. You have two ways to install it. | + | |
| - | * One is to set "CA Certificate File" or "CA Certificate Path", "CA certificate file" is the path to the file, "CA Certificate Path" is the the path to the directory holding the intermediate certificate. | + | |
| - | * Another way is to create a chained certificate, set "Certificate File" to the path of "chained.cert", "Chained Certificate" should be set to "Yes". To create the chained certificate, you can concat your certificate file together with the intermediate certificate with a command like: | + | |
| - | cat my.cert ca.cert > chained.cert | + | While in LSWS (native), or while using OpenLiteSpeed, you will need to set up SSL certificate settings in the LSWS Web Admin configuration. This wiki explains how to do so, assuming you have already gotten your SSL certificate (either self-signed, or signed by a CA). |
| - | You also should specify SSL Version and Encryption Level on the same page, SSLv2 is not recommended. After than, you should add virtual host to listener mapping for the web site that you wish to be secured by the SSL certificate, then restart the server, you should be all set. | + | ===== Create a 443 Lister ===== |
| - | If you use a self-signed certificate, the browser will prompt you to accept the certificate, it is normal, if you use a certificate signed by a CA, the browser will accept the certificate automatically without bothering you. | + | Create a listener with **Secure** set to ''Yes''. The official **Port** for SSL is 443, but another port can be used instead. |
| + | {{ :litespeed_wiki:config:lsws-ssl-config1.png?800 |}} | ||
| - | To test it, visit your site %%https://yourdomain.com%% and you will see the green lock sign, which implies the https cert is working. | + | ===== Set up the SSL Certificate ===== |
| + | |||
| + | ==== Self-Signed ==== | ||
| + | Click on the newly created listener, and go to the **SSL** settings tab. Set the self-signed **Private Key File** and **Certificate File** to the location of the key file. If you don't have the self-signed key pair yet, please follow [[litespeed_wiki:config:ssl-private-key|these instructions]] to create a private key, and follow [[litespeed_wiki:config:ssl-self-signed-cert|these instructions]] to create a certificate. | ||
| + | |||
| + | {{ :litespeed_wiki:config:lsws-ssl-config2.png?800 |}} | ||
| + | |||
| + | ==== Certificate-Authority-Signed ==== | ||
| + | A certificate signed by a CA can come in one of two ways: | ||
| + | - with separate intermediate and server/domain certificates | ||
| + | - as a chained certificate with server/domain and intermediate certificates in chained order | ||
| + | |||
| + | An intermediate CA certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. An intermediate certificate is signed by one of the root certificates in a web browser, creating a trust relationship among the certificates that allows the web browser to trust your issued certificate. | ||
| + | |||
| + | === Intermediate certificates and server certificate separately === | ||
| + | |||
| + | When you have separate intermediate certificates and server certificate, you can set **Private Key File** and **Certificate File** to the location of the ky file. Then, use either **CA Certificate Path** to define the location of multi intermediate certificates, or **CA Certificate File** to define the intermediate certificate if there is only one. **CA Certificate Path** and **CA Certificate File** are equivalent, and you just need to use one of them, not both. | ||
| + | |||
| + | {{ :litespeed_wiki:config:lsws-ssl-config3.png?800 |}} | ||
| + | |||
| + | === Chained certificate === | ||
| + | If the certificate is a chained certificate, the file that stores the certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA. | ||
| + | |||
| + | {{ :litespeed_wiki:config:lsws-ssl-config4.png?800 |}} | ||
| + | |||
| + | You can also combine separate intermediate certificates and a server certificate into a chained certificate yourself and set as above. for example: | ||
| + | ''cat yourdomain.cert ca.cert > chained.pem '' | ||
| + | |||
| + | ===== Testing ===== | ||
| + | |||
| + | If you use a self-signed certificate, the browser will prompt you to accept the certificate. This is normal. If you use a certificate signed by a CA, the browser will accept the certificate automatically without bothering you. | ||
| + | |||
| + | ==== Browser Testing ==== | ||
| + | To test SSL certificates, visit your site ''<nowiki>https://yourdomain.com</nowiki>'' and you will see the green lock sign, which implies the HTTPS certificate is working. | ||
| {{ :litespeed_wiki:config:ssl-glock.png?nolink&600 |}} | {{ :litespeed_wiki:config:ssl-glock.png?nolink&600 |}} | ||
| + | |||
| + | ==== Online SSL Checker ==== | ||
| + | You can also use an online SSL checker, such as [[https://www.ssllabs.com/ssltest/|Qualys SSL Server Test]], to verify an SSL certificate's settings. | ||
| + | |||
| + | ==== OpenSSL Command Line ==== | ||
| + | |||
| + | Alternatively, you can use the Linux command line tool: | ||
| + | openssl s_client -connect example.com:443 -servername example.com | ||
| + | |||
| + | If the certificate is valid a ''Verify return code: 0 (ok)'' line can be observed in the command output. | ||
| + | To check the expiration date of the certificate, run the following command: | ||
| + | # echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates | ||
| + | notBefore=Feb 14 00:00:00 2017 GMT | ||
| + | notAfter=Feb 14 23:59:59 2018 GMT | ||