Nginx TLS Configuration

The following steps apply to any Nginx configuration using TLS in tiCrypt. A stacked (bundled) certificate is the concatenation of the actual certificate and the local certificate authority chain.

Complete these steps after placing your TLS certificate and key:

Verify the TLS certificate

openssl x509 -in /etc/pki/tls/certs/example-stacked.crt -text -noout

Verify the TLS private key

openssl rsa -in /etc/pki/tls/private/example.pem -check

caution

If your certificate or the private key is not correct, Nginx will not start. Check the validity before restarting Nginx.

Some critical things that remain are:

Create or Download Diffie-Hellman Parameters

Either generate new ones yourself:

openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048

Or download from Mozilla:

curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem

Allow Nginx to Connect (SELinux)

setsebool -P httpd_can_network_connect=true

Restart Nginx

systemctl restart nginx

Verify the TLS certificate​

Verify the TLS private key​

Create or Download Diffie-Hellman Parameters​

Allow Nginx to Connect (SELinux)​

Restart Nginx​

Verify the TLS certificate

Verify the TLS private key

Create or Download Diffie-Hellman Parameters

Allow Nginx to Connect (SELinux)

Restart Nginx