In this tutorial, you will learn how to install an SSL certificate on LiteSpeed Web Server (LSWS Enterprise) using the WebAdmin console.
We also recorded a video that walks you through the entire process. You can watch the video, read the instructions, or do both. You can watch the video below.
Generate a CSR code on LiteSpeed
To apply for an SSL certificate, you first generate a CSR (Certificate Signing Request) and send it to your Certificate Authority (CA) for validation. The CSR contains your contact details in an encoded format. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on LiteSpeed.
When you generate the CSR, LiteSpeed also creates the matching private key. Keep that key safe: you will need it during installation. Open the .csr file in any text editor, then copy its full contents, including the BEGIN and END tags, and paste it into the order form with your SSL vendor.
Install an SSL certificate on LiteSpeed
After the CA validates your request and emails your signed certificate, you can install it through the LiteSpeed WebAdmin console.
Step 1: Prepare your files
Extract the ZIP archive from your CA. You should have three items:
- Your primary certificate: the certificate issued for your domain (for example yourdomain.crt), found in the ZIP archive.
- Your intermediate certificate(s): these help browsers trace your certificate back to the issuing CA. They are usually bundled in a .ca-bundle file (the CA bundle), which you also extract from the ZIP archive.
- Your private key: the key created together with the CSR. It is on your server in the same directory where you generated the CSR. If you used our online generator instead, use the key it produced.
Upload all three files to a directory on the server, for example /usr/local/lsws/conf/ssl/ (the default LiteSpeed install path is /usr/local/lsws/). The WebAdmin console runs as the lsadm user, so make sure that user can read the files. If needed, fix ownership from a root shell:
chown lsadm:lsadm /usr/local/lsws/conf/ssl/yourdomain.key /usr/local/lsws/conf/ssl/yourdomain.crt /usr/local/lsws/conf/ssl/yourdomain.ca-bundle
The private key file must be unencrypted (no passphrase), otherwise LiteSpeed cannot start the listener.
Step 2: Add an HTTPS listener
Log in to your LiteSpeed WebAdmin console (typically at https://your-server-ip:7080). If you already have a secure listener on port 443, skip to Step 3. To create one:
- In the left menu, select Listeners, then click Add.
- In the Address Settings section, fill in the fields below, then click Save.
- Listener Name: a friendly name for the listener, for example SSL or HTTPS.
- IP Address: to bind the listener to a specific address, choose it from the list, otherwise select Any (ANY IPv4 or ANY IPv6).
- Port: the default HTTPS port is 443.
- Secure: choose Yes. This is what turns the listener into an SSL/TLS listener.
- Notes: leave blank.
Step 3: Add your certificate files
Now point the listener at your certificate and key:
- Open Listeners and, under the Listener Name column, click the listener you created (or your existing secure listener).
- Select the SSL tab. In the SSL Private Key & Certificate section, click Edit.
- Configure the file paths as follows, then click Save.
- Private Key File: the path to your private key, for example /usr/local/lsws/conf/ssl/yourdomain.key. Paths can be absolute or relative to the server root.
- Certificate File: the path to your primary certificate, for example /usr/local/lsws/conf/ssl/yourdomain.crt.
- Chained Certificate: leave this set to No when you supply the intermediates separately in the next field. (Set it to Yes only if your Certificate File already contains the full chain, certificate plus intermediates, in one file.)
- CA Certificate File: the path to your CA bundle (the intermediate certificates), for example /usr/local/lsws/conf/ssl/yourdomain.ca-bundle.
Note: there are two ways to supply the intermediates. Use CA Certificate File to point at a single bundle file (the common case), or use CA Certificate Path to point at a directory that holds the intermediate certificates. You only need one of the two.
Step 4: Set the SSL protocols
Still on the SSL tab for this listener, find the SSL Protocol section and click Edit. For Protocol Version, check TLS v1.2 and TLS v1.3, and leave SSL v3.0, TLS v1.0, and TLS v1.1 unchecked. Click Save.
TLS 1.0 and TLS 1.1 are deprecated and are rejected by modern browsers, so enabling them only exposes you to known weaknesses. TLS 1.2 and TLS 1.3 are the current standards.
Step 5: Map your virtual host to the listener
Tell the listener which site(s) it serves:
- Open Listeners and select your listener’s name.
- On the General tab, go to Virtual Host Mappings and click Add.
- From the Virtual Host list, select the vhost you want to serve over HTTPS.
- In Domain(s), enter the domain(s) that map to this vhost. Separate multiple domains with commas, then click Save.
Step 6: Restart the server
In the left menu, click Dashboard, then click the green Graceful Restart button. LiteSpeed applies the new configuration with zero downtime: existing connections finish on the old process while new connections use the updated one.
Your SSL certificate is now installed on LiteSpeed. To confirm the result and get an instant status report, use our SSL Checker.
Test your SSL installation
After installing the certificate, check the configuration for errors or weak settings. Our SSL Checker runs an instant scan and reports on your certificate, the chain, and the negotiated protocol. You can also verify the result from the command line:
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates
If the certificate is installed correctly, this prints its issuer and validity dates. You can also open your site in a browser and check the padlock.
Frequently Asked Questions
There is no fixed location. LiteSpeed reads whatever paths you set in the listener’s SSL tab, so you can store the key and certificate anywhere the lsadm user can read. A common convention on the default install is /usr/local/lsws/conf/ssl/.
Certificate File is your own domain certificate (for example yourdomain.crt). CA Certificate File is the intermediate chain from your CA (the .ca-bundle) that lets browsers trust your certificate. Keep them in separate fields unless you set Chained Certificate to Yes, in which case the certificate file must already contain the full chain.
Enable TLS v1.2 and TLS v1.3 only, and disable SSL v3.0, TLS v1.0, and TLS v1.1. The older protocols are deprecated and rejected by current browsers, while TLS 1.2 and 1.3 are the modern, supported standards.
Use the Graceful Restart button on the WebAdmin Dashboard. LiteSpeed starts a new server process for incoming requests while the old one finishes existing connections, so configuration changes apply with no dropped connections.
The approach is the same, but the console differs slightly. In OpenLiteSpeed, SSL settings live under each Listener on the SSL tab, and you save changes with the Graceful Restart button in the top-right corner. This tutorial follows the commercial LiteSpeed Web Server (LSWS).
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


