Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
litespeed_wiki:config:ssl-cert-install [2018/09/10 16:18] Jackson Zhang [Testing] |
litespeed_wiki:config:ssl-cert-install [2018/09/17 17:31] (current) Michael Alegre [Installing an SSL Certificate in LiteSpeed Web Server Native Mode] |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== How to install a SSL certificate on LSWS native mode? ====== | + | ====== Installing an SSL Certificate in LiteSpeed Web Server (Native) ====== |
| - | On control panel environment, LSWS will read apache configuration. As far as you set SSL certificates correctly in apache config, LSWS should word as the same way as apache. While in LSWS native/OLS, you will need to set up SSL certificate settings in LSWS Web Admin configuration. | + | In a control panel environment, LSWS will read the Apache configuration. As long as you have set up SSL certificates correctly in Apache config, LSWS should work the same way. |
| - | After you get the SSL certificate, either self signed or signed by a CA, you can configure your server to use the certificates. This wiki will explain to you all steps for such configurations. | + | While in LSWS (native), or while using OpenLiteSpeed, you will need to set up SSL certificate settings in the LSWS Web Admin configuration. This wiki explains how to do so, assuming you have already gotten your SSL certificate (either self-signed, or signed by a CA). |
| - | ===== Create 443 lister ===== | + | ===== Create a 443 Lister ===== |
| - | Create a listener with Secure set to Yes. The official port for SSL is 443, but other port can be used as well.{{ :litespeed_wiki:config:lsws-ssl-config1.png?800 |}} | + | Create a listener with **Secure** set to ''Yes''. The official **Port** for SSL is 443, but another port can be used instead. |
| + | {{ :litespeed_wiki:config:lsws-ssl-config1.png?800 |}} | ||
| - | ===== Setup SSL certificate ===== | + | ===== Set up the SSL Certificate ===== |
| + | |||
| + | ==== Self-Signed ==== | ||
| + | Click on the newly created listener, and go to the **SSL** settings tab. Set the self-signed **Private Key File** and **Certificate File** to the location of the key file. If you don't have the self-signed key pair yet, please follow [[litespeed_wiki:config:ssl-private-key|these instructions]] to create a private key, and follow [[litespeed_wiki:config:ssl-self-signed-cert|these instructions]] to create a certificate. | ||
| - | ==== Self-signed certificate ==== | ||
| - | Click on the newly created listener, then go to the SSL Settings. Then set the self-signed "Private Key File" and "Certificate File" to where the key file is. If you don't have the self-signed key pair yet, please follow [[litespeed_wiki:config:ssl-private-key|here]] to create a private key and follow [[litespeed_wiki:config:ssl-self-signed-cert|here]] to create a certificate. | ||
| {{ :litespeed_wiki:config:lsws-ssl-config2.png?800 |}} | {{ :litespeed_wiki:config:lsws-ssl-config2.png?800 |}} | ||
| - | ==== CA certificate ==== | + | ==== Certificate-Authority-Signed ==== |
| - | For a certificate signed by a certificate authority (CA), it comes either with intermediate certificates and your server/domain certificate. An intermediate CA certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificate separately or combined as chain certificate as the right order. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. file or Chained certificate. An intermediate certificate is signed by one of the root certificates in a web browser, so your certificate will be trusted by a web browser because of the trust relationship among those certificates. | + | A certificate signed by a CA can come in one of two ways: |
| + | - with separate intermediate and server/domain certificates | ||
| + | - as a chained certificate with server/domain and intermediate certificates in chained order | ||
| + | |||
| + | An intermediate CA certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. An intermediate certificate is signed by one of the root certificates in a web browser, creating a trust relationship among the certificates that allows the web browser to trust your issued certificate. | ||
| === Intermediate certificates and server certificate separately === | === Intermediate certificates and server certificate separately === | ||
| - | When you have separate intermediate certificates and server certificate, you can configure "Private Key File" and "Certificate File" to where the key file is and use either "CA Certificate Path" to define the location of multi intermediate certificates' location, or "CA Certificate File" to define the intermediate certificate if it is only one. "CA Certificate Path" and "CA Certificate File" are the equivalent setting and you just need to use one of them, but not both of them. | + | When you have separate intermediate certificates and server certificate, you can set **Private Key File** and **Certificate File** to the location of the ky file. Then, use either **CA Certificate Path** to define the location of multi intermediate certificates, or **CA Certificate File** to define the intermediate certificate if there is only one. **CA Certificate Path** and **CA Certificate File** are equivalent, and you just need to use one of them, not both. |
| {{ :litespeed_wiki:config:lsws-ssl-config3.png?800 |}} | {{ :litespeed_wiki:config:lsws-ssl-config3.png?800 |}} | ||
| === Chained certificate === | === Chained certificate === | ||
| - | If the certificate is a chained certificate, the file that stores a certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA | + | If the certificate is a chained certificate, the file that stores the certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA. |
| {{ :litespeed_wiki:config:lsws-ssl-config4.png?800 |}} | {{ :litespeed_wiki:config:lsws-ssl-config4.png?800 |}} | ||
| - | You can also combined separate tntermediate certificates and server certificate to a chained certificate yourself and set as above. for example: | + | You can also combine separate intermediate certificates and a server certificate into a chained certificate yourself and set as above. for example: |
| - | cat yourdomain.cert ca.cert > chained.pem | + | ''cat yourdomain.cert ca.cert > chained.pem '' |
| - | ==== Testing ==== | + | ===== Testing ===== |
| - | If you use a self-signed certificate, the browser will prompt you to accept the certificate, it is normal, if you use a certificate signed by a CA, the browser will accept the certificate automatically without bothering you. | + | If you use a self-signed certificate, the browser will prompt you to accept the certificate. This is normal. If you use a certificate signed by a CA, the browser will accept the certificate automatically without bothering you. |
| - | To test ssl certificates, visit your site %%https://yourdomain.com%% and you will see the green lock sign, which implies the https cert is working. | + | ==== Browser Testing ==== |
| + | To test SSL certificates, visit your site ''<nowiki>https://yourdomain.com</nowiki>'' and you will see the green lock sign, which implies the HTTPS certificate is working. | ||
| {{ :litespeed_wiki:config:ssl-glock.png?nolink&600 |}} | {{ :litespeed_wiki:config:ssl-glock.png?nolink&600 |}} | ||
| - | You can also use some online ssl checker to verify ssl certificates settings, such as https://www.ssllabs.com/ssltest/. | + | ==== Online SSL Checker ==== |
| + | You can also use an online SSL checker, such as [[https://www.ssllabs.com/ssltest/|Qualys SSL Server Test]], to verify an SSL certificate's settings. | ||
| + | |||
| + | ==== OpenSSL Command Line ==== | ||
| - | Alternatively, you can use Linux command line tool: | + | Alternatively, you can use the Linux command line tool: |
| openssl s_client -connect example.com:443 -servername example.com | openssl s_client -connect example.com:443 -servername example.com | ||
| - | If the certificate is valid Verify return code: 0 (ok) line can be observed in the command output. | + | If the certificate is valid a ''Verify return code: 0 (ok)'' line can be observed in the command output. |
| - | To check the expiration date of the certificate run the following command: | + | To check the expiration date of the certificate, run the following command: |
| # echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates | # echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates | ||
| notBefore=Feb 14 00:00:00 2017 GMT | notBefore=Feb 14 00:00:00 2017 GMT | ||
| notAfter=Feb 14 23:59:59 2018 GMT | notAfter=Feb 14 23:59:59 2018 GMT | ||