Certificate Installation

Learning Focus

By the end of this lesson you will know how to install any SSL certificate on an OpenLiteSpeed listener, set correct file permissions, and verify the installation.

Certificate File Requirements

File	What It Contains	Example Path
Certificate	Your domain's public certificate (+ chain)	/etc/ssl/certs/example.pem
Private Key	The matching private key	/etc/ssl/private/example.key
CA Bundle	Intermediate certificates (if separate)	/etc/ssl/certs/ca-bundle.pem

Installation Steps

Step 1: Upload Files to the Server

# Create secure directories
sudo mkdir -p /etc/ssl/certs /etc/ssl/private

# Upload certificate and key (via SCP, SFTP, or paste)
sudo nano /etc/ssl/certs/example.pem      # paste certificate + chain
sudo nano /etc/ssl/private/example.key     # paste private key

# Set correct permissions
sudo chmod 644 /etc/ssl/certs/example.pem
sudo chmod 600 /etc/ssl/private/example.key
sudo chown root:root /etc/ssl/private/example.key

Step 2: Configure in WebAdmin

1. Navigate to Listeners → SSL listener → SSL tab
2. Set Private Key File: /etc/ssl/private/example.key
3. Set Certificate File: /etc/ssl/certs/example.pem
4. Set Chained Certificate: Yes (if cert includes intermediates)
5. Save and Graceful Restart

Step 3: Verify

# Test the certificate
openssl s_client -connect localhost:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -subject -issuer -dates

# Verify certificate and key match
openssl x509 -noout -modulus -in /etc/ssl/certs/example.pem | md5sum
openssl rsa -noout -modulus -in /etc/ssl/private/example.key | md5sum
# Both hashes must be identical

Key Takeaways

• Certificate files need correct permissions (644 for cert, 600 for key).
• Always verify the certificate and key match with modulus comparison.
• Test with openssl s_client after installation.

What's Next

• Continue to TLS Configuration for protocol and cipher settings.