This tutorial shows you how to generate a CSR on LiteSpeed using the OpenSSL command line.
LiteSpeed Web Server (LSWS Enterprise) and OpenLiteSpeed do not have a built-in CSR wizard: their WebAdmin consoles expect file paths to an existing private key and certificate. You generate both files with OpenSSL on the LiteSpeed host, submit the CSR to your Certificate Authority, then reference the issued certificate and the matching key in the listener’s SSL tab.
The steps below work on every modern Linux distribution that hosts LiteSpeed (Ubuntu, Debian, RHEL, AlmaLinux, Rocky Linux, CentOS Stream, CloudLinux), since each ships with OpenSSL 1.1.1 or OpenSSL 3.x. Both versions sign the request with SHA-256 by default, so you do not need to add a digest flag.
Step 1: Connect to your LiteSpeed server
Open Terminal on macOS or Linux, or PowerShell or Windows Terminal on Windows, and connect to the server over SSH. Replace the user name and host with your own:
ssh your-user@your-litespeed-server
Generate the CSR on the same server that will run the LiteSpeed listener. The private key is created next to the CSR and must stay on that server, so running the command on your laptop and then copying the key around defeats the purpose. The default LSWS install lives under /usr/local/lsws/, and a common convention is to keep certificate material in /usr/local/lsws/conf/ssl/. Create that directory if it does not exist, then change into it:
sudo mkdir -p /usr/local/lsws/conf/ssl
cd /usr/local/lsws/conf/ssl
Step 2: Generate the private key and CSR
If you have already generated your CSR with another tool, skip to installing the certificate on LiteSpeed.
Run the following OpenSSL command. It creates a 2048-bit RSA key and a CSR in one step, with the subject and Subject Alternative Names (SANs) supplied inline so OpenSSL does not stop to ask questions:
sudo openssl req -new -newkey rsa:2048 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=YourState/L=YourCity/O=YourCompany/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"
What each part does:
- -newkey rsa:2048 generates a new 2048-bit RSA key. 2048-bit is the current minimum that public CAs accept; you can use rsa:4096 for a larger key, or switch to ECDSA (see below).
- -nodes leaves the private key unencrypted. This is required on LiteSpeed: the WebAdmin listener cannot start with a passphrase-protected key.
- -keyout and -out name the private key and the CSR files. Keep the .key and .csr extensions so the LiteSpeed listener fields and your CA’s order form recognize them.
- -subj supplies the certificate subject. Put your real company name, state, and city here, not the placeholders. CN (Common Name) is your primary domain.
- -addext “subjectAltName=…” lists every hostname the certificate must cover. Public CAs validate against the SAN list, so include the Common Name here too.
Replace yourdomain.com with your actual domain throughout. To cover extra hostnames, add them to the SAN list separated by commas, for example DNS:api.yourdomain.com. For a wildcard certificate, include both the wildcard and the bare domain: DNS:*.yourdomain.com,DNS:yourdomain.com. Use only alphanumeric characters in the subject fields, and use the official two-letter country code for the C field.
If you prefer an ECDSA key (smaller and faster, with P-256 widely supported), generate the key and CSR like this instead:
sudo openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=YourState/L=YourCity/O=YourCompany/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"
If you would rather answer prompts one field at a time, run sudo openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr with no -subj and no -addext. OpenSSL will ask for each field in turn. When it does:
- Country Name (C): the two-letter ISO code of your country, for example US or GB. For Business Validation or Extended Validation certificates, this must be the official country of registration of your organization.
- State or Province Name (ST): the full name, for example California. Do not abbreviate.
- Locality Name (L): the city or town, for example San Francisco.
- Organization Name (O): the official registered name of your company, for example GPI Holding LLC. For Domain Validation certificates you can enter NA.
- Organizational Unit Name (OU): this field is deprecated and ignored by public CAs. Leave it blank by pressing Enter.
- Common Name (CN): the Fully Qualified Domain Name the certificate is for, for example www.yourdomain.com. For a wildcard, use *.yourdomain.com.
- Email Address: optional and not used by public CAs. You can leave it blank.
- A challenge password and An optional company name: both are obsolete attributes that public CAs ignore. Leave them blank.
Without the -addext flag the resulting CSR will have no SAN entries. Public CAs validate against the SAN list and will reject (or silently override) a request without one, so the recommended path is the inline -subj plus -addext command above.
Step 3: Locate your files and lock down the key
List the current directory to confirm both files were created:
ls
You should see two new files:
- yourdomain.key: your private key. Keep it on the server, back it up securely, and never send it to anyone, including the Certificate Authority. Whoever holds the key can impersonate your site.
- yourdomain.csr: your Certificate Signing Request. This is the file you submit to the SSL provider.
Restrict the private key so only the file owner can read it, and make sure the LiteSpeed admin user (lsadm by default) can still read both files when the listener loads them:
sudo chmod 600 yourdomain.key
sudo chown lsadm:lsadm yourdomain.key yourdomain.csr
Step 4: Verify the CSR (optional but recommended)
Before you submit it, check that the CSR contains the right subject and SANs and that its signature is valid. This decodes the request locally with OpenSSL:
openssl req -noout -text -verify -in yourdomain.csr
Confirm that the Subject line shows your details, that X509v3 Subject Alternative Name lists every hostname you expect, and that the signature check prints verify OK. The signature algorithm should read sha256WithRSAEncryption (or ecdsa-with-SHA256 for an ECDSA key). If you would rather not use the command line, paste the CSR into our online CSR decoder to read the same fields in a browser.
Step 5: Submit your CSR
To copy the CSR for your order, print its contents:
cat yourdomain.csr
You will see a block of text like this:
-----BEGIN CERTIFICATE REQUEST-----
MIICyzCCAbMCAQAwTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQsw...
...(many more lines of base64 characters)...
-----END CERTIFICATE REQUEST-----
Copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines (each marker has five hyphens on either side). That whole block is your CSR. Paste it into the order form during your purchase, and keep the matching private key in place on the server.
If you would rather not use the command line, you can also build the request with our online CSR Generator. Note that it generates the private key in your browser, so save that key yourself and move it to the LiteSpeed server.
After your CA validates the request, you will receive your certificate. Depending on the validation level this takes a few minutes for Domain Validation, or up to several business days for Business Validation and Extended Validation.
Step 6: Reference the key and certificate in LiteSpeed
When the certificate arrives, place the issued certificate and the CA bundle on the server next to the key, then point the LiteSpeed listener at them. In the LSWS WebAdmin console (typically at https://your-server-ip:7080), open Listeners, click your HTTPS listener, switch to the SSL tab, and edit the SSL Private Key & Certificate section:
- Private Key File: /usr/local/lsws/conf/ssl/yourdomain.key
- Certificate File: /usr/local/lsws/conf/ssl/yourdomain.crt
- CA Certificate File: /usr/local/lsws/conf/ssl/yourdomain.ca-bundle (the intermediates)
Save, then click Graceful Restart on the WebAdmin Dashboard to apply the change without dropping existing connections. OpenLiteSpeed uses the same fields under each listener’s SSL tab and the same Graceful Restart button in the top-right corner. For the full installation walkthrough, see our guide on how to install an SSL certificate on LiteSpeed.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


