diff --git a/apps/emqx_dashboard/src/emqx_dashboard_listener.erl b/apps/emqx_dashboard/src/emqx_dashboard_listener.erl
index 69f02dd2c..8774957ce 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_listener.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_listener.erl
@@ -174,17 +174,20 @@ diff_listeners(Type, Stop, Start) -> {#{Type => Stop}, #{Type => Start}}.
 
 -define(DIR, <<"dashboard">>).
 
-ensure_ssl_cert(#{<<"listeners">> := #{<<"https">> := #{<<"bind">> := Bind}}} = Conf) when
+ensure_ssl_cert(#{<<"listeners">> := #{<<"https">> := #{<<"bind">> := Bind} = Https0}} = Conf0) when
     Bind =/= 0
 ->
-    Keys = [<<"listeners">>, <<"https">>, <<"ssl_options">>],
-    Ssl = emqx_utils_maps:deep_get(Keys, Conf, undefined),
+    Https1 = emqx_dashboard_schema:https_converter(Https0, #{}),
+    Conf1 = emqx_utils_maps:deep_put([<<"listeners">>, <<"https">>], Conf0, Https1),
+    io:format("111~p~n", [Conf1]),
+    Ssl = maps:get(<<"ssl_options">>, Https1, undefined),
     Opts = #{required_keys => [[<<"keyfile">>], [<<"certfile">>], [<<"cacertfile">>]]},
     case emqx_tls_lib:ensure_ssl_files(?DIR, Ssl, Opts) of
         {ok, undefined} ->
             {error, <<"ssl_cert_not_found">>};
         {ok, NewSsl} ->
-            {ok, emqx_utils_maps:deep_put(Keys, Conf, NewSsl)};
+            Keys = [<<"listeners">>, <<"https">>, <<"ssl_options">>],
+            {ok, emqx_utils_maps:deep_put(Keys, Conf1, NewSsl)};
         {error, Reason} ->
             ?SLOG(error, Reason#{msg => "bad_ssl_config"}),
             {error, Reason}
diff --git a/apps/emqx_dashboard/src/emqx_dashboard_schema.erl b/apps/emqx_dashboard/src/emqx_dashboard_schema.erl
index c252c9e37..d02cf0da5 100644
--- a/apps/emqx_dashboard/src/emqx_dashboard_schema.erl
+++ b/apps/emqx_dashboard/src/emqx_dashboard_schema.erl
@@ -112,6 +112,7 @@ ssl_options() ->
             ?R_REF("ssl_options"),
             #{
                 required => true,
+                desc => ?DESC(ssl_options),
                 importance => ?IMPORTANCE_HIGH
             }
         )}.
diff --git a/apps/emqx_management/test/emqx_mgmt_api_configs_SUITE.erl b/apps/emqx_management/test/emqx_mgmt_api_configs_SUITE.erl
index 7993197ba..0d7d57864 100644
--- a/apps/emqx_management/test/emqx_mgmt_api_configs_SUITE.erl
+++ b/apps/emqx_management/test/emqx_mgmt_api_configs_SUITE.erl
@@ -222,11 +222,13 @@ t_dashboard(_Config) ->
     ),
 
     Https2 = #{
-        enable => true,
-        bind => 18084,
-        keyfile => "etc/certs/badkey.pem",
-        cacertfile => "etc/certs/badcacert.pem",
-        certfile => "etc/certs/badcert.pem"
+        <<"bind">> => 18084,
+        <<"ssl_options">> =>
+            #{
+                <<"keyfile">> => "etc/certs/badkey.pem",
+                <<"cacertfile">> => "etc/certs/badcacert.pem",
+                <<"certfile">> => "etc/certs/badcert.pem"
+            }
     },
     Dashboard2 = Dashboard#{<<"listeners">> => Listeners#{<<"https">> => Https2}},
     ?assertMatch(
@@ -240,20 +242,21 @@ t_dashboard(_Config) ->
         emqx, filename:join(["etc", "certs", "cacert.pem"])
     ),
     Https3 = #{
-        <<"enable">> => true,
         <<"bind">> => 18084,
-        <<"keyfile">> => list_to_binary(KeyFile),
-        <<"cacertfile">> => list_to_binary(CacertFile),
-        <<"certfile">> => list_to_binary(CertFile)
+        <<"ssl_options">> => #{
+            <<"keyfile">> => list_to_binary(KeyFile),
+            <<"cacertfile">> => list_to_binary(CacertFile),
+            <<"certfile">> => list_to_binary(CertFile)
+        }
     },
     Dashboard3 = Dashboard#{<<"listeners">> => Listeners#{<<"https">> => Https3}},
     ?assertMatch({ok, _}, update_config("dashboard", Dashboard3)),
 
-    Dashboard4 = Dashboard#{<<"listeners">> => Listeners#{<<"https">> => #{<<"enable">> => false}}},
+    Dashboard4 = Dashboard#{<<"listeners">> => Listeners#{<<"https">> => #{<<"bind">> => 0}}},
     ?assertMatch({ok, _}, update_config("dashboard", Dashboard4)),
     {ok, Dashboard41} = get_config("dashboard"),
     ?assertEqual(
-        Https3#{<<"enable">> => false},
+        Https3#{<<"bind">> => 0},
         read_conf([<<"dashboard">>, <<"listeners">>, <<"https">>]),
         Dashboard41
     ),
diff --git a/changes/ce/feat-11137.en.md b/changes/ce/feat-11137.en.md
new file mode 100644
index 000000000..7e0821c0d
--- /dev/null
+++ b/changes/ce/feat-11137.en.md
@@ -0,0 +1 @@
+Refactors the dashboard listener configuration to use a nested `ssl_options` field for ssl settings.
diff --git a/rel/i18n/emqx_dashboard_schema.hocon b/rel/i18n/emqx_dashboard_schema.hocon
index ac0e54601..0559af2c5 100644
--- a/rel/i18n/emqx_dashboard_schema.hocon
+++ b/rel/i18n/emqx_dashboard_schema.hocon
@@ -138,4 +138,10 @@ token_expired_time.desc:
 token_expired_time.label:
 """Token expired time"""
 
+ssl_options.desc:
+"""SSL/TLS options for the dashboard listener."""
+
+ssl_options.label:
+"""SSL options"""
+
 }
diff --git a/scripts/conf-test/run.sh b/scripts/conf-test/run.sh
index 9b42b2b5b..da5a3aa16 100755
--- a/scripts/conf-test/run.sh
+++ b/scripts/conf-test/run.sh
@@ -23,7 +23,7 @@ function check_dashboard_https_ssl_options_depth() {
 start_emqx_with_conf() {
     echo "Starting $PROFILE with $1"
     "$EMQX_ROOT"/bin/emqx start
-    check_dashboard_https_ssl_options_depth $1
+    check_dashboard_https_ssl_options_depth "$1"
     "$EMQX_ROOT"/bin/emqx stop
 }