How to enable TLS 1.3 in Nginx service of CentOS Cloud Servers (with Cipher Suites included)

2020-10-14 By Mark 46 Views linux security nginx tls
0 reviews

Transportation Layer Security (TLS) is a cryptographic protocol and it provides the security for the delivery of data over the internet. TLS 1.3 is faster than TLS 1.2 because the handshake for the TLS 1.3 is reduced to just one round-trip.

This can easily be enabled in a Linux based server. This guide outlines the basic steps involved in in a Linux CentOS server (provided Nginx service is already installed in the server).


  1. Server running on CentOS 8.
  2. A valid domain name and properly configured A/AAAA/CNAME DNS records.
  3. A valid TLS certificate. Here using from Let’s encrypt.
  4. Nginx version 1.13.0 or greater.
  5. OpenSSL version 1.1.1 or greater.

Before the beginning,

  1. Check the CentOS version by using the below command.

    # cat /etc/centos-release


  2. By using the below command ensure that the server is up to date.

    # dnf update


  3. Install the needed packages by using the below command.

    # dnf install -y socat git wget unzip


Step A. Install the client and obtain a TLS certificate from Let's Encrypt. is used to install, renew and remove SSL certificates and it is written purely in Shell (Unix shell) language, compatible with bash, dash, and sh shells.

  1. Install with the below commands.

    # git clone
    # cd
    # ./ --install –accountemail [email protected]
    # cd ~
    # source ~/.bashrc



    NOTE: Replace the mail account with your mail account name.

  2. Check the version of

    # --version


  3. Obtain RSA and ECDSA certificates for the domain.

    # RSA
    # --issue --standalone -d --keylength 2048
    # --issue --standalone -d --keylength ec-256



  4. Create directories to store your certs and keys in then, install and copy certificates to /etc/letsencrypt.

    # mkdir -p /etc/letsencrypt/
    # mkdir -p /etc/letsencrypt/testlayerstack.com_ecc


    # --install-cert -d --cert-file /etc/letsencrypt/ --key-file /etc/letsencrypt/ --fullchain-file /etc/letsencrypt/
    # --install-cert -d --ecc --cert-file /etc/letsencrypt/testlayerstack.com_ecc/cert.pem --key-file /etc/letsencrypt/testlayerstack.com_ecc/private.key --fullchain-file /etc/letsencrypt/testlayerstack.com_ecc/fullchain.pem



  5. After running the above commands, your certificates and keys will be in the below mentioned locations:

    RSA: /etc/letsencrypt/
    ECC/ECDSA: /etc/letsencrypt/testlayerstack.com_ecc

Step B. Configure Nginx for TLS 1.3

  1. Run the below command to install the Nginx.

    # dnf install nginx


  2. Check the Nginx version then, start and enable using below commands.

    # nginx -v
    # systemctl start nginx.service
    # systemctl enable nginx.service


  3. Run the below command and add the following basic configurations in that file.

    # vim /etc/nginx/conf.d/
    server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # RSA
    ssl_certificate /etc/letsencrypt/;
    ssl_certificate_key /etc/letsencrypt/;
    # ECDSA
    ssl_certificate /etc/letsencrypt/testlayerstack.com_ecc/fullchain.cer;
    ssl_certificate_key /etc/letsencrypt/testlayerstack.com_ecc/;
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;


  4. Save the file and exit.

    NOTE: Replace in commands with your valid domain name.

  5. Reload Nginx to activate in the new configuration.

  6. Now you can verify TLS 1.3 by using any browser dev tools or SSL Labs service such as given below.

Related Tutorials

What do you think about this article?

Rate this article