====== Installing an SSL Certificate in LiteSpeed Web Server (Native) ====== In a control panel environment, LSWS will read the Apache configuration. As long as you have set up SSL certificates correctly in Apache config, LSWS should work the same way. While in LSWS (native), or while using OpenLiteSpeed, you will need to set up SSL certificate settings in the LSWS Web Admin configuration. This wiki explains how to do so, assuming you have already gotten your SSL certificate (either self-signed, or signed by a CA). ===== Create a 443 Lister ===== Create a listener with **Secure** set to ''Yes''. The official **Port** for SSL is 443, but another port can be used instead. {{ :litespeed_wiki:config:lsws-ssl-config1.png?800 |}} ===== Set up the SSL Certificate ===== ==== Self-Signed ==== Click on the newly created listener, and go to the **SSL** settings tab. Set the self-signed **Private Key File** and **Certificate File** to the location of the key file. If you don't have the self-signed key pair yet, please follow [[litespeed_wiki:config:ssl-private-key|these instructions]] to create a private key, and follow [[litespeed_wiki:config:ssl-self-signed-cert|these instructions]] to create a certificate. {{ :litespeed_wiki:config:lsws-ssl-config2.png?800 |}} ==== Certificate-Authority-Signed ==== A certificate signed by a CA can come in one of two ways: - with separate intermediate and server/domain certificates - as a chained certificate with server/domain and intermediate certificates in chained order An intermediate CA certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. An intermediate certificate is signed by one of the root certificates in a web browser, creating a trust relationship among the certificates that allows the web browser to trust your issued certificate. === Intermediate certificates and server certificate separately === When you have separate intermediate certificates and server certificate, you can set **Private Key File** and **Certificate File** to the location of the ky file. Then, use either **CA Certificate Path** to define the location of multi intermediate certificates, or **CA Certificate File** to define the intermediate certificate if there is only one. **CA Certificate Path** and **CA Certificate File** are equivalent, and you just need to use one of them, not both. {{ :litespeed_wiki:config:lsws-ssl-config3.png?800 |}} === Chained certificate === If the certificate is a chained certificate, the file that stores the certificate chain must be in PEM format, and the certificates must be in the chained order, from the lowest level (the actual client or server certificate) to the highest level (root) CA. {{ :litespeed_wiki:config:lsws-ssl-config4.png?800 |}} You can also combine separate intermediate certificates and a server certificate into a chained certificate yourself and set as above. for example: ''cat yourdomain.cert ca.cert > chained.pem '' ===== Testing ===== If you use a self-signed certificate, the browser will prompt you to accept the certificate. This is normal. If you use a certificate signed by a CA, the browser will accept the certificate automatically without bothering you. ==== Browser Testing ==== To test SSL certificates, visit your site ''https://yourdomain.com'' and you will see the green lock sign, which implies the HTTPS certificate is working. {{ :litespeed_wiki:config:ssl-glock.png?nolink&600 |}} ==== Online SSL Checker ==== You can also use an online SSL checker, such as [[https://www.ssllabs.com/ssltest/|Qualys SSL Server Test]], to verify an SSL certificate's settings. ==== OpenSSL Command Line ==== Alternatively, you can use the Linux command line tool: openssl s_client -connect example.com:443 -servername example.com If the certificate is valid a ''Verify return code: 0 (ok)'' line can be observed in the command output. To check the expiration date of the certificate, run the following command: # echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates notBefore=Feb 14 00:00:00 2017 GMT notAfter=Feb 14 23:59:59 2018 GMT