Installing an SSL Certificate on LiteSpeed Web Server

Installing an SSL Certificate on LiteSpeed Web Server

James Rodriguez

LiteSpeed has earned a strong following as a high performance replacement for Apache, and its SSL Certificate installation happens through a browser-based administration console rather than configuration files. The process is quick once you know where the SSL settings live, because the console buries them one level deeper than most administrators expect.

This guide applies to both LiteSpeed Enterprise and OpenLiteSpeed, which share the same WebAdmin console layout for SSL configuration.

Prerequisites and Required Files

You need administrator access to the LiteSpeed WebAdmin console, which runs on port 7080 by default. You also need your issued SSL Certificate file and the ca-bundle of Intermediate Certificates from the Certificate Authority (CA), both available in the tracking system. View Our Tracking & SSL Management 🔗

The Private Key created alongside your Certificate Signing Request (CSR) completes the set. Upload all three files to a directory on the server, such as /usr/local/lsws/conf/ssl/, and restrict the Private Key permissions to the LiteSpeed user. Learn About Generating a CSR 🔗

Note : Servers running LiteSpeed Enterprise under cPanel manage SSL Certificates through cPanel rather than the WebAdmin console, and LiteSpeed picks the configuration up automatically. The console method below applies to standalone LiteSpeed and OpenLiteSpeed installations.

Hosts running cPanel can also automate the entire SSL Certificate lifecycle through our plugin, removing the manual replacement cycle entirely. Learn About the Trustico® CaaS cPanel Plugin 🔗

Creating a Secure Listener

LiteSpeed routes traffic through listeners, and HTTPS requires a listener marked as secure. Log in to the WebAdmin console at your server address on port 7080, then navigate to Configuration and select Listeners.

If no secure listener exists yet, click the add icon and configure the address settings. Give the listener a recognizable name, set the IP Address to Any unless the server requires binding to a specific address, set the Port to 443, and set Secure to Yes. Save the listener.

If port 443 is already held by another listener or service, the conflict must be resolved first, since two listeners cannot share the port on the same address.

Assigning the SSL Certificate Files

Open the newly created listener and select its SSL tab. Three fields connect the listener to your files.

Set Private Key File to the path of your key, for example /usr/local/lsws/conf/ssl/yourdomain.key. Set Certificate File to the path of your SSL Certificate. Then set Chained Certificate to Yes and provide the ca-bundle path in the CA Certificate File field, which is the step that completes the chain for mobile devices and strict clients. Learn About Intermediate Certificates 🔗

Save the SSL settings, then map the listener to your virtual host on the General tab of the listener if a mapping does not already exist. Without a virtual host mapping the listener accepts connections but serves nothing.

Applying the Configuration

LiteSpeed applies configuration changes through a graceful restart, which reloads settings without dropping active connections. Click the graceful restart icon in the WebAdmin console header, or run the equivalent command on the server.

sudo /usr/local/lsws/bin/lswsctrl restart

Verifying the Installation

Load the site over HTTPS and inspect the SSL Certificate in the browser. Follow up with an external scan, because desktop browsers cache Intermediate Certificates and routinely hide an incomplete chain that other clients will reject. Trustico® provides free checking tools that show the chain as a fresh client sees it. Explore Our Trustico® SSL Tools 🔗

Troubleshooting Common Installation Problems

A listener that saves but never serves the new SSL Certificate usually points at the wrong file paths. The WebAdmin console accepts nonexistent paths silently in some versions, so confirm each path exists on disk exactly as entered.

Chain warnings on mobile devices mean the Chained Certificate setting is No or the CA Certificate File field is empty. Set both correctly and perform another graceful restart.

A key mismatch reported in the server log means the Private Key does not pair with the SSL Certificate, which usually traces to a regenerated CSR. A reissue against the current CSR is the clean resolution. Learn About Reissuing Your SSL Certificate 🔗

Professional Installation Assistance

LiteSpeed installations are usually finished in minutes, but mixed environments where cPanel, the WebAdmin console, and custom virtual hosts overlap can produce configuration that is hard to untangle.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering SSL Certificate installation on LiteSpeed and OpenLiteSpeed, including the WebAdmin console, the cPanel exception, secure listener creation, the SSL file fields, graceful restarts, common error diagnosis, and the Trustico® Premium Installation service.

Accessing SSL Settings in the WebAdmin Console

LiteSpeed installs SSL Certificates through its browser-based WebAdmin console, which runs on port 7080 by default. The same console layout applies to both LiteSpeed Enterprise and OpenLiteSpeed.

Managing SSL Certificates When LiteSpeed Runs Under cPanel

Servers running LiteSpeed Enterprise under cPanel manage SSL Certificates through cPanel rather than the WebAdmin console, and LiteSpeed picks the configuration up automatically. Hosts running cPanel can also automate the entire SSL Certificate lifecycle through the Trustico® Certificate as a Service (CaaS) cPanel plugin, removing the manual replacement cycle entirely.

Creating a Secure Listener on Port 443

Navigate to Configuration and select Listeners, then add a listener with a recognizable name, the IP Address set to Any, the Port set to 443, and Secure set to Yes. If port 443 is already held by another listener or service, the conflict must be resolved first, since two listeners cannot share the port on the same address.

Connecting the Listener to the SSL Certificate Files

The SSL tab of the listener holds three fields, namely the Private Key File path, the Certificate File path, and the CA Certificate File path with Chained Certificate set to Yes, which is the step that completes the chain for mobile devices and strict clients. The listener must also be mapped to the virtual host, because without a mapping it accepts connections but serves nothing.

Applying Changes with a Graceful Restart

LiteSpeed applies configuration changes through a graceful restart, which reloads settings without dropping active connections. Click the graceful restart icon in the WebAdmin console header, or run the lswsctrl restart command on the server.

Silent Path Errors and Chain Warnings

A listener that saves but never serves the new SSL Certificate usually points at the wrong file paths, and the WebAdmin console accepts nonexistent paths silently in some versions, so confirm each path exists on disk exactly as entered. Chain warnings on mobile devices mean the Chained Certificate setting is No or the CA Certificate File field is empty, while a key mismatch in the server log usually traces to a regenerated Certificate Signing Request (CSR) and is resolved by a reissue.

Premium Installation Assistance for LiteSpeed Environments

Mixed environments where cPanel, the WebAdmin console, and custom virtual hosts overlap can produce configuration that is hard to untangle. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom