YouStable blog banner

How to Use TLS on Linux: Complete Beginner’s Guide

Himanshu Joshi 4 min read

Use TLS (Transport Layer Security) on a Linux server to encrypt communication between your server and clients, ensuring data confidentiality, integrity, and authentication over networks. TLS is essential for securing websites (HTTPS), APIs, and various network services, preventing eavesdropping and tampering.

This guide covers the key steps for implementing TLS on Linux servers, including installing required packages, generating or obtaining certificates, configuring your web server, and verifying the setup.

Prerequisites

  • A Linux server running Ubuntu, Debian, CentOS, RHEL, or similar distributions
  • Root or sudo privileges to install software and modify configurations
  • A domain name pointing to your server’s IP (for public certificates)
  • Basic command-line knowledge
  • Familiarity with your web server (Apache, Nginx, etc.)

Use TLS on a Linux Server

Use TLS on a Linux Server

TLS (Transport Layer Security) encrypts data between a Linux server and clients, ensuring secure communication. It’s essential for protecting sensitive information in services like HTTPS, email, and FTP by preventing unauthorized access or data interception.

Install Required TLS Packages

Install essential tools, such as OpenSSL and web server SSL modules.

  • Ubuntu/Debian:
sudo apt update
sudo apt install openssl
sudo apt install certbot python3-certbot-nginx    # for Nginx and Certbot
sudo apt install certbot python3-certbot-apache   # for Apache and Certbot
  • CentOS/RHEL:
sudo yum install openssl mod_ssl        
sudo yum install certbot python3-certbot-nginx

Obtain a TLS Certificate

Securing your Linux server with TLS (Transport Layer Security) is essential for protecting data in transit and building user trust. There are several ways to get a TLS certificate, but Let’s Encrypt offers a free and automated solution that’s ideal for most use cases.

Option A: Use Let’s Encrypt (Free, Automated)

Use Certbot to request and install a trusted certificate automatically:

  • For Nginx:
sudo certbot --nginx
  • For Apache:
sudo certbot --apache

You will be prompted to provide your email, agree to the terms, and select domains to secure. Certbot will configure web server files and set up automatic renewal.

Option B: Create a Self-Signed Certificate (Testing Only)

Generate a self-signed certificate for internal or testing purposes:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/server.key \
-out /etc/ssl/certs/server.crt

Fill out the prompted fields; ensure the Common Name matches your domain or server.

Configure Your Web Server to Use TLS

Once you’ve obtained a TLS certificate, the next step is to configure your web server to use it. This enables secure HTTPS connections by binding the certificate to your server.

Apache Example:

Edit or create your SSL site config (Ubuntu: /etc/apache2/sites-available/default-ssl.conf, CentOS: /etc/httpd/conf.d/ssl.conf):

SSLEngine on

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

Enable the SSL module and the site if not already:

sudo a2enmod ssl
sudo a2ensite default-ssl
sudo systemctl reload apache2   # or restart apache

Nginx Example:

Modify your site configuration file (e.g., /etc/nginx/sites-available/default):

server {
    listen 443 ssl;
    server_name your_domain.com;

    ssl_certificate /etc/ssl/certs/server.crt;
    ssl_certificate_key /etc/ssl/private/server.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
    ssl_prefer_server_ciphers on;

    # ... other server config ...
}

Reload Nginx to apply:

sudo nginx -t
sudo systemctl reload nginx

Test and Verify TLS Installation

  • Use curl or OpenSSL to verify:
curl -I https://your_domain.com

Should return headers with HTTPS connection.

openssl s_client -connect your_domain.com:443

Shows certificate details and connection info.

  • Use online tools like SSL Labs for an in-depth test.

Automate Certificate Renewal (Let’s Encrypt)

Certbot installs automatic renewal via system timers. Test renewal manually:

sudo certbot renew --dry-run

Monitor logs and cron jobs to ensure certificates stay valid.

Additional Security Best Practices

After enabling TLS, it’s important to strengthen your configuration to defend against evolving threats. These best practices help ensure your server remains secure and compliant:

  • Disable old TLS versions and weak ciphers
  • Use HTTP Strict Transport Security (HSTS) headers on HTTPS responses
  • Protect private key files with proper permissions (e.g., chmod 600 /etc/ssl/private/server.key)
  • Regularly update OpenSSL and web server software

Conclusion

To use TLS on a Linux server, install OpenSSL and Certbot, obtain either free trusted certificates from Let’s Encrypt or create self-signed certificates for testing, and configure your web server (Apache or Nginx) to use those certificates for encrypted HTTPS connections. Regular testing and renewal ensure your server communication remains secure and trusted by clients. For more detailed information and advanced configurations, refer to: Let’s Encrypt Documentation and Certbot Instructions.

Himanshu Joshi

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top