Nginx TLS Configuration
Last updated: March 29, 2026Latest Frontend Version: 2.17.3
The following steps apply to any Nginx configuration using TLS in tiCrypt. A stacked (bundled) certificate is the concatenation of the server certificate and the local certificate authority chain.
Complete these steps after placing your TLS certificate and key:
Verify the TLS certificate
openssl x509 -in /etc/pki/tls/certs/example-stacked.crt -text -noout
Verify the TLS private key
openssl rsa -in /etc/pki/tls/private/example.pem -check
caution
If your certificate or private key is not valid, Nginx will not start. Check their validity before restarting Nginx.
The remaining critical steps are:
Create or Download Diffie-Hellman Parameters
Either generate new parameters:
openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048
Or download them from Mozilla:
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem
Allow Nginx to Connect (SELinux)
setsebool -P httpd_can_network_connect=true
Restart Nginx
systemctl restart nginx