{"id":13244,"date":"2025-12-16T11:20:22","date_gmt":"2025-12-16T05:50:22","guid":{"rendered":"https:\/\/www.youstable.com\/blog\/?p=13244"},"modified":"2025-12-16T11:20:25","modified_gmt":"2025-12-16T05:50:25","slug":"how-to-use-tls-on-linux-server","status":"publish","type":"post","link":"https:\/\/www.youstable.com\/blog\/how-to-use-tls-on-linux-server","title":{"rendered":"How to Use TLS on Linux Server in 2026? – (Step By Step Guide)"},"content":{"rendered":"\n

To use TLS on a Linux server<\/strong>, install a trusted certificate (Let\u2019s Encrypt or commercial), configure your web server (Nginx or Apache) to serve HTTPS with TLS 1.2\/1.3, enable secure ciphers and headers (HSTS, OCSP stapling<\/strong>), open ports 80\/443 in the firewall, and set up automated certificate renewal and monitoring.<\/p>\n\n\n\n

Securing websites and APIs with Transport Layer Security (TLS) is essential for privacy, SEO, and compliance. <\/p>\n\n\n\n

You\u2019ll learn how to use TLS on Linux server step by step with both free and commercial certificates, reliable Nginx\/Apache configurations, best practices for TLS 1.3, and tools to test and automate renewals.<\/p>\n\n\n\n

\n\n\n\n

What is TLS and Why it Matters<\/strong>?<\/h2>\n\n\n\n

TLS is the standard encryption protocol that secures data in transit between clients and servers. It provides confidentiality (encryption)<\/strong>, integrity (tamper detection), and authentication (verifies server identity via<\/a> certificates).<\/p>\n\n\n\n

It\u2019s the successor to SSL and is required for modern browsers, payment systems, and SEO\u2014Google gives ranking benefits to HTTPS sites.<\/p>\n\n\n\n

\n\n\n\n

Prerequisites<\/strong><\/h2>\n\n\n\n

Server, Domain, and DNS<\/strong><\/h3>\n\n\n\n

– A Linux server (Ubuntu\/Debian, AlmaLinux\/Rocky\/CentOS, or similar)
– A domain name pointing to your server\u2019s public IP via an A\/AAAA record
– Nginx or Apache installed<\/a> (examples included for both)<\/p>\n\n\n\n

Firewall and Ports<\/strong><\/h3>\n\n\n\n

Open ports 80 (HTTP) and 443 (HTTPS). Let\u2019s Encrypt<\/a> HTTP-01 challenges need port 80. Examples:<\/strong><\/p>\n\n\n\n

# UFW (Ubuntu\/Debian)\nsudo ufw allow 'Nginx Full'   # or 'Apache Full'\nsudo ufw enable\n\n# firewalld (RHEL\/AlmaLinux\/Rocky)\nsudo firewall-cmd --permanent --add-service=http\nsudo firewall-cmd --permanent --add-service=https\nsudo firewall-cmd --reload<\/code><\/pre>\n\n\n\n
Update Packages<\/strong><\/h3>\n\n\n\n
# Debian\/Ubuntu\nsudo apt update && sudo apt upgrade -y\n\n# RHEL\/AlmaLinux\/Rocky\nsudo dnf upgrade -y<\/code><\/pre>\n\n\n\n
\n\n\n\n
Option 1 \u2014 Get a Free TLS Certificate with Let\u2019s Encrypt (Certbot)<\/strong><\/h2>\n\n\n\n
Let\u2019s Encrypt is a free, automated, and trusted Certificate Authority (CA). Certbot handles issuance and renewal. This is the fastest way to enable HTTPS on a Linux server for production use.<\/p>\n\n\n\n
Install Certbot<\/strong><\/h3>\n\n\n\n
# Ubuntu 20.04+ \/ Debian 11+\nsudo apt install -y certbot python3-certbot-nginx\n# or for Apache\nsudo apt install -y certbot python3-certbot-apache\n\n# RHEL 9 \/ AlmaLinux 9 \/ Rocky 9\nsudo dnf install -y certbot python3-certbot-nginx\n# or for Apache\nsudo dnf install -y certbot python3-certbot-apache<\/code><\/pre>\n\n\n\n
Issue and Install the Certificate<\/strong><\/h3>\n\n\n\n
Nginx:<\/strong><\/p>\n\n\n\n
sudo certbot --nginx -d example.com -d www.example.com<\/code><\/pre>\n\n\n\n
Apache:<\/strong><\/p>\n\n\n\n
sudo certbot --apache -d example.com -d www.example.com<\/code><\/pre>\n\n\n\n
Certbot will update your virtual host to HTTPS, obtain the certificate, and reload your web server. Choose the redirect option to force HTTP to HTTPS.<\/p>\n\n\n\n
Auto Renewal<\/strong><\/h3>\n\n\n\n
Certbot installs a systemd timer or cron job. Verify:<\/p>\n\n\n\n
sudo systemctl list-timers | grep certbot\nsudo certbot renew --dry-run<\/code><\/pre>\n\n\n\n
Option 2 \u2014 Use a Commercial TLS Certificate<\/strong><\/h3>\n\n\n\n
Commercial certificates (OV\/EV) include organization validation and may be required for certain compliance or enterprise policies. You\u2019ll generate a CSR, submit it to the CA, then install the issued certificate and chain.<\/p>\n\n\n\n
\n\n\n\n
Generate Private Key and CSR with OpenSSL<\/strong><\/h2>\n\n\n\n
# Generate a 2048-bit RSA key (ED25519\/EC keys are also supported in many stacks)\nopenssl genrsa -out \/etc\/ssl\/private\/example.com.key 2048\nchmod 600 \/etc\/ssl\/private\/example.com.key\n\n# Create a CSR (adjust subject as needed)\nopenssl req -new -key \/etc\/ssl\/private\/example.com.key -out \/etc\/ssl\/certs\/example.com.csr \\\n  -subj \"\/C=US\/ST=State\/L=City\/O=Company\/OU=Web\/CN=example.com\"<\/code><\/pre>\n\n\n\n
Submit the CSR to your CA. You\u2019ll receive a certificate (example.com.crt or .pem) and a CA bundle\/chain file.<\/p>\n\n\n\n
Install in Nginx<\/strong><\/h3>\n\n\n\n
server {\n    listen 443 ssl http2;\n    server_name example.com www.example.com;\n\n    ssl_certificate     \/etc\/ssl\/certs\/example.com.crt;      # Full chain if provided\n    ssl_certificate_key \/etc\/ssl\/private\/example.com.key;\n\n    # App config ...\n}\n\n# Redirect HTTP to HTTPS\nserver {\n    listen 80;\n    server_name example.com www.example.com;\n    return 301 https:\/\/$host$request_uri;\n}<\/code><\/pre>\n\n\n\n
Install in Apache<\/strong><\/h3>\n\n\n\n
<VirtualHost *:443>\n  ServerName example.com\n  ServerAlias www.example.com\n\n  SSLEngine on\n  SSLCertificateFile      \/etc\/ssl\/certs\/example.com.crt\n  SSLCertificateKeyFile   \/etc\/ssl\/private\/example.com.key\n  SSLCertificateChainFile \/etc\/ssl\/certs\/ca-bundle.crt\n\n  # App config ...\n<\/VirtualHost>\n\n# Redirect HTTP to HTTPS\n<VirtualHost *:80>\n  ServerName example.com\n  ServerAlias www.example.com\n  Redirect permanent \/ https:\/\/example.com\/\n<\/VirtualHost><\/code><\/pre>\n\n\n\n
\n\n\n\n
Harden Your TLS Configuration (TLS 1.2\/1.3)<\/strong><\/h2>\n\n\n\n
Strong defaults protect users and boost your SSL Labs grade. Prefer TLS 1.3, keep TLS 1.2 for compatibility, disable older protocols, use modern ciphers, enable OCSP stapling, and set HSTS after confirming HTTPS works across your site.<\/p>\n\n\n\n
Recommended Nginx Settings<\/strong><\/h3>\n\n\n\n
ssl_protocols TLSv1.3 TLSv1.2;\nssl_prefer_server_ciphers off;  # Let TLS 1.3 pick modern ciphers\nssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256';\n\nssl_session_timeout 1d;\nssl_session_cache shared:SSL:50m;\nssl_session_tickets off;\n\nssl_stapling on;\nssl_stapling_verify on;\nresolver 1.1.1.1 1.0.0.1 valid=300s;\nresolver_timeout 5s;\n\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\nadd_header X-Content-Type-Options nosniff;\nadd_header X-Frame-Options SAMEORIGIN;\nadd_header Referrer-Policy no-referrer-when-downgrade;<\/code><\/pre>\n\n\n\n
Place these within the HTTPS server block or a global include. Only enable HSTS after you\u2019re certain all subdomains support HTTPS.<\/p>\n\n\n\n
Recommended Apache Settings<\/strong><\/h3>\n\n\n\n
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1\n# Apache will use TLS 1.2\/1.3 by default when available\n\nSSLCipherSuite          TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256\nSSLCipherSuite          TLSv1.2 HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!RC4\n\nSSLHonorCipherOrder     off\nSSLSessionTickets       off\n\nSSLUseStapling          on\nSSLStaplingResponderTimeout 5\nSSLStaplingReturnResponderErrors off\nSSLStaplingCache        shmcb:\/var\/run\/ocsp(128000)\n\nHeader always set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\nHeader set X-Content-Type-Options \"nosniff\"\nHeader set X-Frame-Options \"SAMEORIGIN\"\nHeader set Referrer-Policy \"no-referrer-when-downgrade\"<\/code><\/pre>\n\n\n\n
\n\n\n\n
Test and Validate Your TLS Setup<\/strong><\/h2>\n\n\n\n
Local CLI Tests<\/strong><\/h3>\n\n\n\n
# Check certificate and chain\nopenssl s_client -connect example.com:443 -servername example.com < \/dev\/null 2>\/dev\/null | openssl x509 -noout -issuer -subject -dates\n\n# Verify protocol support\ncurl -I --tlsv1.2 https:\/\/example.com\ncurl -I --tlsv1.3 https:\/\/example.com\n\n# Confirm HTTP -> HTTPS redirect\ncurl -I http:\/\/example.com<\/code><\/pre>\n\n\n\n
Online Scanners<\/strong><\/h3>\n\n\n\n
Use SSL Labs Server Test and Hardenize to audit protocol support, ciphers, certificate chain, and HSTS\/OCSP status. Aim for an A or A+ grade. Fix any chain or weak cipher warnings.<\/p>\n\n\n\n
Logging and Monitoring<\/strong><\/h3>\n\n\n\n
– Check Nginx error logs: <\/strong>\/var\/log\/nginx\/error.log
– Check Apache error logs:<\/strong> \/var\/log\/apache2\/error.log or \/var\/log\/httpd\/error_log
– Monitor certificate expiry:<\/strong> integrate check_ssl_cert or Prometheus exporters<\/p>\n\n\n\n
\n\n\n\n
Let\u2019s Encrypt vs Commercial Certificates (Quick Comparison)<\/strong><\/h2>\n\n\n\n
    \n
  • Let\u2019s Encrypt:<\/strong> Free, automated via Certbot, DV validation only, 90-day validity, ideal for most websites and APIs.<\/li>\n\n\n\n
  • Commercial (OV\/EV):<\/strong> Paid, organizational verification, may show org details in certificate, preferred for enterprises or regulatory needs.<\/li>\n\n\n\n
  • Both are equally secure cryptographically when configured with strong TLS settings.<\/li>\n<\/ul>\n\n\n\n
    Common TLS Issues and How to Fix Them<\/strong><\/h2>\n\n\n\n
      \n
    • Incomplete chain:<\/strong> Browser shows \u201cnot trusted.\u201d Ensure you install the full chain file or use Certbot\u2019s installed fullchain.pem.<\/li>\n\n\n\n
    • Wrong file permissions:<\/strong> Private keys must be readable by the web server user only (typically 600). Do not chmod 777 keys.<\/li>\n\n\n\n
    • Port 80\/443 blocked:<\/strong> Let\u2019s Encrypt validation fails. Open firewall and security group ports.<\/li>\n\n\n\n
    • Mixed content:<\/strong> Page loads HTTPS but references HTTP assets. Update URLs to HTTPS or use relative paths.<\/li>\n\n\n\n
    • Auto-renewal not running:<\/strong> Use \u201csudo certbot renew –dry-run\u201d and check systemd timers or cron logs.<\/li>\n\n\n\n
    • Old client compatibility: <\/strong>Keep TLS 1.2 enabled while prioritizing TLS 1.3 for modern clients.<\/li>\n<\/ul>\n\n\n\n
      Performance Tips for TLS at Scale<\/strong><\/h2>\n\n\n\n
        \n
      • Enable HTTP\/2 or HTTP\/3 (QUIC) to reduce latency and improve multiplexing.<\/li>\n\n\n\n
      • Use TLS session resumption (session cache\/tickets off for compliance-sensitive environments; otherwise tune as needed).<\/li>\n\n\n\n
      • Prefer ECDSA\/EdDSA certificates for performance if your clients support them; otherwise use RSA 2048.<\/li>\n\n\n\n
      • Enable OCSP stapling to reduce client lookups.<\/li>\n\n\n\n
      • Terminate TLS at a reverse proxy (Nginx) and keep upstream traffic private within a secure network.<\/li>\n<\/ul>\n\n\n\n
        Full Example on Ubuntu with Nginx and Certbot<\/strong> – Step-by-Step<\/strong> Guide<\/h2>\n\n\n\n
        # 1) Install Nginx\nsudo apt update && sudo apt install -y nginx\n\n# 2) Create a simple server block\nsudo bash -c 'cat >\/etc\/nginx\/sites-available\/example.conf' << \"EOF\"\nserver {\n    listen 80;\n    server_name example.com www.example.com;\n    root \/var\/www\/html;\n    index index.html;\n}\nEOF\nsudo ln -s \/etc\/nginx\/sites-available\/example.conf \/etc\/nginx\/sites-enabled\/\nsudo nginx -t && sudo systemctl reload nginx\n\n# 3) Allow firewall\nsudo ufw allow \"Nginx Full\"\n\n# 4) Issue certificate and auto-configure HTTPS\nsudo apt install -y certbot python3-certbot-nginx\nsudo certbot --nginx -d example.com -d www.example.com\n\n# 5) Harden TLS (adjust as desired)\nsudo bash -c 'cat >\/etc\/nginx\/snippets\/tls-hardening.conf' << \"EOF\"\nssl_protocols TLSv1.3 TLSv1.2;\nssl_prefer_server_ciphers off;\nssl_ciphers \"TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256\";\nssl_session_timeout 1d;\nssl_session_cache shared:SSL:50m;\nssl_session_tickets off;\nssl_stapling on;\nssl_stapling_verify on;\nresolver 1.1.1.1 1.0.0.1 valid=300s;\nresolver_timeout 5s;\nadd_header Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\" always;\nadd_header X-Content-Type-Options nosniff;\nadd_header X-Frame-Options SAMEORIGIN;\nadd_header Referrer-Policy no-referrer-when-downgrade;\nEOF\n\n# 6) Include hardening in your HTTPS server block\n# Edit the server block created by Certbot to: include snippets\/tls-hardening.conf;\n\nsudo nginx -t && sudo systemctl reload nginx\n\n# 7) Test\ncurl -I https:\/\/example.com\nopenssl s_client -connect example.com:443 -servername example.com < \/dev\/null | openssl x509 -noout -dates<\/code><\/pre>\n\n\n\n
        How This Helps SEO and Compliance<\/strong><\/h2>\n\n\n\n
          \n
        • SEO:<\/strong> HTTPS is a ranking signal; modern browsers mark HTTP as \u201cNot Secure.\u201d<\/li>\n\n\n\n
        • Security:<\/strong> Protects credentials, checkout sessions, API tokens, and forms.<\/li>\n\n\n\n
        • Compliance:<\/strong> Required by PCI DSS and recommended by ISO 27001 and GDPR guidance.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n
          FAQ’s<\/strong><\/h2>\n\n\n
          \n
          \n
          \n
          Is TLS the same as SSL?<\/strong><\/h3>\n
          \n\n
          SSL is the older protocol; TLS is its modern, secure successor. People still say \u201cSSL certificate,\u201d but what you\u2019re actually deploying today is TLS (typically TLS 1.2\/1.3).<\/p>\n\n<\/div>\n<\/div>\n
          \n
          How do I enable TLS 1.3 on Nginx and Apache?<\/strong><\/h3>\n
          \n\n
          Use an up-to-date Nginx\/Apache and OpenSSL. In Nginx, set \u201cssl_protocols TLSv1.3 TLSv1.2;\u201d. In Apache, disable older protocols via SSLProtocol and ensure OpenSSL 1.1.1+ is used. Reload the server and verify with \u201ccurl –tlsv1.3\u201d.<\/p>\n\n<\/div>\n<\/div>\n
          \n
          Is Let\u2019s Encrypt safe for production?<\/strong><\/h3>\n
          \n\n
          Yes. Let\u2019s Encrypt issues widely trusted DV certificates using the same cryptography as commercial CAs. For organization validation (OV\/EV) policies, choose a commercial CA, but the encryption level is comparable.<\/p>\n\n<\/div>\n<\/div>\n
          \n
          How do I auto-renew certificates?<\/strong><\/h3>\n
          \n\n
          Certbot installs a timer or cron job to renew before expiry. Confirm with \u201csudo certbot renew –dry-run\u201d and ensure your firewall allows port 80 for HTTP-01 challenges. Production renewals are automatic.<\/p>\n\n<\/div>\n<\/div>\n
          \n
          How can I test my TLS configuration?<\/strong><\/h3>\n
          \n\n
          Use \u201copenssl s_client\u201d and \u201ccurl\u201d locally, then run an external scan with SSL Labs. Check your server logs for errors, confirm redirects, and verify that HSTS and OCSP stapling are active.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n
          \n\n\n\n
          Conclusion<\/strong><\/h2>\n\n\n\n
          Now you know how to use TLS on Linux server the right way\u2014get a certificate (Let\u2019s Encrypt or commercial), configure Nginx\/Apache with modern TLS 1.3 defaults, enforce HTTPS, and automate renewals. Keep testing and iterating to maintain an A+ security posture and the best possible user trust and SEO performance.<\/p>\n","protected":false},"excerpt":{"rendered":"
          To use TLS on a Linux server, install a trusted certificate (Let\u2019s Encrypt or commercial), configure your web server (Nginx […]<\/p>\n","protected":false},"author":21,"featured_media":13805,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[],"class_list":["post-13244","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/What-is-TLS-on-Linux-Server-1.jpg","author_info":{"display_name":"Sanjeet Chauhan","author_link":"https:\/\/www.youstable.com\/blog\/author\/sanjeet"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13244","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=13244"}],"version-history":[{"count":9,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13244\/revisions"}],"predecessor-version":[{"id":13807,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/13244\/revisions\/13807"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/13805"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=13244"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=13244"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=13244"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}