To use TLS on a Linux server, install a trusted certificate (Let’s Encrypt or commercial), configure your web server (Nginx or Apache) to serve HTTPS with TLS 1.2/1.3, enable secure ciphers and headers (HSTS, OCSP stapling), open ports 80/443 in the firewall, and set up automated certificate renewal and monitoring.
Securing websites and APIs with Transport Layer Security (TLS) is essential for privacy, SEO, and compliance.
You’ll learn how to use TLS on Linux server step by step with both free and commercial certificates, reliable Nginx/Apache configurations, best practices for TLS 1.3, and tools to test and automate renewals.
What is TLS and Why it Matters?
TLS is the standard encryption protocol that secures data in transit between clients and servers. It provides confidentiality (encryption), integrity (tamper detection), and authentication (verifies server identity via certificates).
It’s the successor to SSL and is required for modern browsers, payment systems, and SEO—Google gives ranking benefits to HTTPS sites.
Prerequisites
Server, Domain, and DNS
– A Linux server (Ubuntu/Debian, AlmaLinux/Rocky/CentOS, or similar)
– A domain name pointing to your server’s public IP via an A/AAAA record
– Nginx or Apache installed (examples included for both)
Firewall and Ports
Open ports 80 (HTTP) and 443 (HTTPS). Let’s Encrypt HTTP-01 challenges need port 80. Examples:
# UFW (Ubuntu/Debian)
sudo ufw allow 'Nginx Full' # or 'Apache Full'
sudo ufw enable
# firewalld (RHEL/AlmaLinux/Rocky)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadUpdate Packages
# Debian/Ubuntu
sudo apt update && sudo apt upgrade -y
# RHEL/AlmaLinux/Rocky
sudo dnf upgrade -yOption 1 — Get a Free TLS Certificate with Let’s Encrypt (Certbot)
Let’s Encrypt is a free, automated, and trusted Certificate Authority (CA). Certbot handles issuance and renewal. This is the fastest way to enable HTTPS on a Linux server for production use.
Install Certbot
# Ubuntu 20.04+ / Debian 11+
sudo apt install -y certbot python3-certbot-nginx
# or for Apache
sudo apt install -y certbot python3-certbot-apache
# RHEL 9 / AlmaLinux 9 / Rocky 9
sudo dnf install -y certbot python3-certbot-nginx
# or for Apache
sudo dnf install -y certbot python3-certbot-apacheIssue and Install the Certificate
Nginx:
sudo certbot --nginx -d example.com -d www.example.comApache:
sudo certbot --apache -d example.com -d www.example.comCertbot will update your virtual host to HTTPS, obtain the certificate, and reload your web server. Choose the redirect option to force HTTP to HTTPS.
Auto Renewal
Certbot installs a systemd timer or cron job. Verify:
sudo systemctl list-timers | grep certbot
sudo certbot renew --dry-runOption 2 — Use a Commercial TLS Certificate
Commercial certificates (OV/EV) include organization validation and may be required for certain compliance or enterprise policies. You’ll generate a CSR, submit it to the CA, then install the issued certificate and chain.
Generate Private Key and CSR with OpenSSL
# Generate a 2048-bit RSA key (ED25519/EC keys are also supported in many stacks)
openssl genrsa -out /etc/ssl/private/example.com.key 2048
chmod 600 /etc/ssl/private/example.com.key
# Create a CSR (adjust subject as needed)
openssl req -new -key /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.csr \
-subj "/C=US/ST=State/L=City/O=Company/OU=Web/CN=example.com"Submit the CSR to your CA. You’ll receive a certificate (example.com.crt or .pem) and a CA bundle/chain file.
Install in Nginx
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/ssl/certs/example.com.crt; # Full chain if provided
ssl_certificate_key /etc/ssl/private/example.com.key;
# App config ...
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$host$request_uri;
}Install in Apache
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key
SSLCertificateChainFile /etc/ssl/certs/ca-bundle.crt
# App config ...
</VirtualHost>
# Redirect HTTP to HTTPS
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>Harden Your TLS Configuration (TLS 1.2/1.3)
Strong defaults protect users and boost your SSL Labs grade. Prefer TLS 1.3, keep TLS 1.2 for compatibility, disable older protocols, use modern ciphers, enable OCSP stapling, and set HSTS after confirming HTTPS works across your site.
Recommended Nginx Settings
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off; # Let TLS 1.3 pick modern ciphers
ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy no-referrer-when-downgrade;Place these within the HTTPS server block or a global include. Only enable HSTS after you’re certain all subdomains support HTTPS.
Recommended Apache Settings
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Apache will use TLS 1.2/1.3 by default when available
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
SSLCipherSuite TLSv1.2 HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!RC4
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set Referrer-Policy "no-referrer-when-downgrade"Test and Validate Your TLS Setup
Local CLI Tests
# Check certificate and chain
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -issuer -subject -dates
# Verify protocol support
curl -I --tlsv1.2 https://example.com
curl -I --tlsv1.3 https://example.com
# Confirm HTTP -> HTTPS redirect
curl -I http://example.comOnline Scanners
Use SSL Labs Server Test and Hardenize to audit protocol support, ciphers, certificate chain, and HSTS/OCSP status. Aim for an A or A+ grade. Fix any chain or weak cipher warnings.
Logging and Monitoring
– Check Nginx error logs: /var/log/nginx/error.log
– Check Apache error logs: /var/log/apache2/error.log or /var/log/httpd/error_log
– Monitor certificate expiry: integrate check_ssl_cert or Prometheus exporters
Let’s Encrypt vs Commercial Certificates (Quick Comparison)
- Let’s Encrypt: Free, automated via Certbot, DV validation only, 90-day validity, ideal for most websites and APIs.
- Commercial (OV/EV): Paid, organizational verification, may show org details in certificate, preferred for enterprises or regulatory needs.
- Both are equally secure cryptographically when configured with strong TLS settings.
Common TLS Issues and How to Fix Them
- Incomplete chain: Browser shows “not trusted.” Ensure you install the full chain file or use Certbot’s installed fullchain.pem.
- Wrong file permissions: Private keys must be readable by the web server user only (typically 600). Do not chmod 777 keys.
- Port 80/443 blocked: Let’s Encrypt validation fails. Open firewall and security group ports.
- Mixed content: Page loads HTTPS but references HTTP assets. Update URLs to HTTPS or use relative paths.
- Auto-renewal not running: Use “sudo certbot renew –dry-run” and check systemd timers or cron logs.
- Old client compatibility: Keep TLS 1.2 enabled while prioritizing TLS 1.3 for modern clients.
Performance Tips for TLS at Scale
- Enable HTTP/2 or HTTP/3 (QUIC) to reduce latency and improve multiplexing.
- Use TLS session resumption (session cache/tickets off for compliance-sensitive environments; otherwise tune as needed).
- Prefer ECDSA/EdDSA certificates for performance if your clients support them; otherwise use RSA 2048.
- Enable OCSP stapling to reduce client lookups.
- Terminate TLS at a reverse proxy (Nginx) and keep upstream traffic private within a secure network.
Step-by-Step: Full Example on Ubuntu with Nginx and Certbot
# 1) Install Nginx
sudo apt update && sudo apt install -y nginx
# 2) Create a simple server block
sudo bash -c 'cat >/etc/nginx/sites-available/example.conf' << "EOF"
server {
listen 80;
server_name example.com www.example.com;
root /var/www/html;
index index.html;
}
EOF
sudo ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
# 3) Allow firewall
sudo ufw allow "Nginx Full"
# 4) Issue certificate and auto-configure HTTPS
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
# 5) Harden TLS (adjust as desired)
sudo bash -c 'cat >/etc/nginx/snippets/tls-hardening.conf' << "EOF"
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256";
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header Referrer-Policy no-referrer-when-downgrade;
EOF
# 6) Include hardening in your HTTPS server block
# Edit the server block created by Certbot to: include snippets/tls-hardening.conf;
sudo nginx -t && sudo systemctl reload nginx
# 7) Test
curl -I https://example.com
openssl s_client -connect example.com:443 -servername example.com < /dev/null | openssl x509 -noout -datesHow This Helps SEO and Compliance
- SEO: HTTPS is a ranking signal; modern browsers mark HTTP as “Not Secure.”
- Security: Protects credentials, checkout sessions, API tokens, and forms.
- Compliance: Required by PCI DSS and recommended by ISO 27001 and GDPR guidance.
FAQ’s
Is TLS the same as SSL?
SSL is the older protocol; TLS is its modern, secure successor. People still say “SSL certificate,” but what you’re actually deploying today is TLS (typically TLS 1.2/1.3).
How do I enable TLS 1.3 on Nginx and Apache?
Use an up-to-date Nginx/Apache and OpenSSL. In Nginx, set “ssl_protocols TLSv1.3 TLSv1.2;”. In Apache, disable older protocols via SSLProtocol and ensure OpenSSL 1.1.1+ is used. Reload the server and verify with “curl –tlsv1.3”.
Is Let’s Encrypt safe for production?
Yes. Let’s Encrypt issues widely trusted DV certificates using the same cryptography as commercial CAs. For organization validation (OV/EV) policies, choose a commercial CA, but the encryption level is comparable.
How do I auto-renew certificates?
Certbot installs a timer or cron job to renew before expiry. Confirm with “sudo certbot renew –dry-run” and ensure your firewall allows port 80 for HTTP-01 challenges. Production renewals are automatic.
How can I test my TLS configuration?
Use “openssl s_client” and “curl” locally, then run an external scan with SSL Labs. Check your server logs for errors, confirm redirects, and verify that HSTS and OCSP stapling are active.
Conclusion
Now you know how to use TLS on Linux server the right way—get a certificate (Let’s Encrypt or commercial), configure Nginx/Apache with modern TLS 1.3 defaults, enforce HTTPS, and automate renewals. Keep testing and iterating to maintain an A+ security posture and the best possible user trust and SEO performance.
