In this tutorial, you will learn how to install an SSL certificate on Lighttpd. The guide covers the current configuration (separate certificate and private key with the mod_openssl module), the legacy combined-PEM method for older builds, and a quick configuration test before you restart.
We also recorded a video that walks you through the entire process. If you prefer the text version, keep reading below.
Generate a CSR code on Lighttpd
We’ll begin with CSR (Certificate Signing Request) generation. A CSR is a block of encoded text you send to a Certificate Authority to apply for an SSL certificate. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on Lighttpd.
Open the CSR file with any text editor and copy its contents, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST lines, into the corresponding box during the SSL order process. Submit the CSR to the Certificate Authority and wait for validation. After the CA issues your SSL certificate, continue with the installation below.
Install an SSL certificate on Lighttpd
Step 1: Prepare your certificate files
After validation, the Certificate Authority emails you the certificate files. Download the archive and extract it. You should have:
- yourdomain.crt, your primary SSL certificate.
- yourdomain.ca-bundle, the intermediate certificates (the CA bundle).
- yourdomain.key, the private key you generated with the CSR.
Lighttpd recommends that the file referenced by ssl.pemfile contain the full certificate chain: your certificate first, followed by the intermediate certificates. Create that combined chain file, then move both it and the private key into a directory Lighttpd can read (for example /etc/lighttpd/ssl/):
cat yourdomain.crt yourdomain.ca-bundle > yourdomain.fullchain.pem
sudo mkdir -p /etc/lighttpd/ssl
sudo cp yourdomain.fullchain.pem yourdomain.key /etc/lighttpd/ssl/
Restrict the private key so only root can read it:
sudo chmod 600 /etc/lighttpd/ssl/yourdomain.key
Step 2: Enable mod_openssl
Since version 1.4.56, TLS support in Lighttpd lives in a loadable module called mod_openssl (other backends such as mod_mbedtls, mod_wolfssl, mod_gnutls, and mod_nss also exist). Load it in your main configuration file before the SSL socket block:
server.modules += ( "mod_openssl" )
Note: on Lighttpd 1.4.55 and earlier, TLS was compiled in rather than loaded as a module, so you can skip this line on those builds. Check your version with lighttpd -v.
Step 3: Edit lighttpd.conf
Open the main configuration file (the path is usually /etc/lighttpd/lighttpd.conf) with your preferred editor:
sudo nano /etc/lighttpd/lighttpd.conf
Add a socket block for port 443. On current Lighttpd (1.4.56+), keep the certificate chain and the private key in separate files: point ssl.pemfile at the full-chain file and ssl.privkey at the key. This is the format most Certificate Authorities deliver, and it is the configuration Lighttpd recommends.
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/yourdomain.fullchain.pem"
ssl.privkey = "/etc/lighttpd/ssl/yourdomain.key"
# Minimum TLS version (ssl-conf-cmd needs lighttpd 1.4.48+; TLS 1.2 is already the default on 1.4.56+)
ssl.openssl.ssl-conf-cmd = ( "MinProtocol" => "TLSv1.2" )
}
- ssl.engine turns on TLS for this socket.
- ssl.pemfile holds your certificate followed by the intermediate chain.
- ssl.privkey holds the private key. It is required since version 1.4.53 whenever the key is not inside the pemfile.
To redirect plain HTTP to HTTPS so visitors always reach the secure version, add a redirect for port 80 (this needs mod_redirect, which is loaded by default on most distributions):
$SERVER["socket"] == ":80" {
url.redirect = ( "^/(.*)" => "https://yourdomain.com/$1" )
}
Save and close the file.
Legacy method: combined PEM and ssl.ca-file
Older Lighttpd 1.4.x builds (before 1.4.53) used a single combined PEM that contained both the certificate and the private key concatenated together, with the intermediate chain supplied separately through ssl.ca-file. If you are maintaining one of those older systems, build the combined file like this:
cat yourdomain.crt yourdomain.key > /etc/lighttpd/ssl/yourdomain.pem
Then reference it in the socket block:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/yourdomain.pem"
ssl.ca-file = "/etc/lighttpd/ssl/yourdomain.ca-bundle"
}
On current Lighttpd, prefer the separate ssl.pemfile and ssl.privkey form from Step 3 and keep the full chain in the pemfile. The ssl.ca-file directive was renamed ssl.verifyclient.ca-file in version 1.4.60, since its real purpose is verifying client certificates rather than serving the server chain.
Step 4: Test the configuration
Always check the syntax before restarting, because an error can stop the server from starting. Run:
sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf
You should see a message that the syntax is OK. For a deeper check that also loads and initializes the modules, use sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf. Fix any reported errors before continuing.
Step 5: Restart Lighttpd
Apply the changes. On a modern system with systemd, restart the service:
sudo systemctl restart lighttpd
On older systems that use SysV init, use the init script instead:
sudo /etc/init.d/lighttpd restart
Congratulations, your SSL certificate is now installed on Lighttpd. To confirm the result and get an instant status report, use our SSL Checker or browse our full set of SSL tools. For advanced options, see the official Lighttpd SSL documentation.
Frequently Asked Questions
Current Lighttpd (1.4.56 and later) recommends separate files: the certificate plus its intermediate chain in the file named by ssl.pemfile, and the private key in ssl.privkey. The older combined PEM that concatenated the certificate and key into one ssl.pemfile still works, but the separate form matches how most Certificate Authorities deliver files and is the documented recommendation.
No. The current recommendation is to include the intermediate certificates directly in the ssl.pemfile file, right after your certificate. The ssl.ca-file directive was a historical way to complete the chain when the pemfile held only the leaf certificate, and in version 1.4.60 it was renamed ssl.verifyclient.ca-file because its real role is client-certificate verification.
Run sudo lighttpd -t -f /etc/lighttpd/lighttpd.conf to test the syntax, or sudo lighttpd -tt -f /etc/lighttpd/lighttpd.conf for a deeper test that also loads the modules. Fix any errors it reports before you restart, so a typo does not stop the server from starting.
This usually means the intermediate certificates are missing from your ssl.pemfile. Concatenate your certificate and the CA bundle into one file, with the certificate first, and point ssl.pemfile at it. Then test the config and restart. You can confirm the chain is complete with our SSL Checker.
Connect to your site with OpenSSL and read the certificate it serves:echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If the certificate is installed, this prints its issuer and validity dates. You can also open your site in a browser and check the padlock.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


