Skip to main content

Nginx TLS Configuration

Last updated: March 29, 2026Latest Frontend Version: 2.17.3

The following steps apply to any Nginx configuration using TLS in tiCrypt. A stacked (bundled) certificate is the concatenation of the server certificate and the local certificate authority chain.

Complete these steps after placing your TLS certificate and key:

Verify the TLS certificate

openssl x509 -in /etc/pki/tls/certs/example-stacked.crt -text -noout

Verify the TLS private key

openssl rsa -in /etc/pki/tls/private/example.pem -check
caution

If your certificate or private key is not valid, Nginx will not start. Check their validity before restarting Nginx.

The remaining critical steps are:

Create or Download Diffie-Hellman Parameters

Either generate new parameters:

openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048

Or download them from Mozilla:

curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem

Allow Nginx to Connect (SELinux)

setsebool -P httpd_can_network_connect=true

Restart Nginx

systemctl restart nginx