Nginx SSL Configuration Guide

TLS on nginx terminates HTTPS: point ssl_certificate at a full chain and ssl_certificate_key at the private key. Choose protocols and ciphers from a maintained profile (for example Mozilla intermediate). ssl_stapling staples OCSP responses—configure ssl_trusted_certificate and a resolver so nginx can refresh responses. Enable HTTP/2 on TLS listeners when clients support it; HTTP/3 needs a separate quic listener where supported.

Topic	Directive	Risk if wrong
Chain completeness	`ssl_certificate` fullchain	Some clients fail trust checks
OCSP stapling	`ssl_stapling` + resolver	Slow handshakes or stapling failures
Session reuse	`ssl_session_cache`	Higher CPU if cache too small

security headers, server blocks, performance tuning, reverse proxy

Frequently Asked Questions

Q.Why use fullchain.pem instead of only the leaf certificate?

Clients must receive the intermediate issuers; without them, trust chains break on strict verifiers.

Q.What does ssl_stapling do?

It caches OCSP responses from the CA so clients avoid extra round trips during the handshake.

Q.Which TLS protocols should I enable?

Follow a current profile—typically TLS 1.2+—and drop legacy protocols that enable known attacks.

Q.How should session ticket keys be managed?

Rotate ticket keys on a schedule and keep them secret; compromise lets attackers decrypt resumed sessions.

Q.Why configure a resolver for stapling?

nginx must resolve OCSP responders periodically; resolver sets the DNS servers used for that refresh.

Q.What is ssl_prefer_server_ciphers for?

It lets the server order cipher suites during TLS 1.2 negotiation; modern TLS 1.3 negotiation differs.

Q.How do I enable HTTP/2 on nginx?

Add http2 to the TLS listen directive where supported and verify ALPN with your OpenSSL build.

Q.What breaks if OCSP stapling cannot fetch?

Clients may fall back to live OCSP queries or fail in strict environments—monitor error logs for stapling warnings.

Topic

Directive

Risk if wrong

Chain completeness

ssl_certificate fullchain

Some clients fail trust checks

OCSP stapling

ssl_stapling + resolver

Slow handshakes or stapling failures

Session reuse

ssl_session_cache

Higher CPU if cache too small

Frequently Asked Questions

Q.Why use fullchain.pem instead of only the leaf certificate?

Clients must receive the intermediate issuers; without them, trust chains break on strict verifiers.

Q.What does ssl_stapling do?

It caches OCSP responses from the CA so clients avoid extra round trips during the handshake.

Q.Which TLS protocols should I enable?

Follow a current profile—typically TLS 1.2+—and drop legacy protocols that enable known attacks.

Q.How should session ticket keys be managed?

Rotate ticket keys on a schedule and keep them secret; compromise lets attackers decrypt resumed sessions.

Q.Why configure a resolver for stapling?

nginx must resolve OCSP responders periodically; resolver sets the DNS servers used for that refresh.

Q.What is ssl_prefer_server_ciphers for?

It lets the server order cipher suites during TLS 1.2 negotiation; modern TLS 1.3 negotiation differs.

Q.How do I enable HTTP/2 on nginx?

Add http2 to the TLS listen directive where supported and verify ALPN with your OpenSSL build.

Q.What breaks if OCSP stapling cannot fetch?

Clients may fall back to live OCSP queries or fail in strict environments—monitor error logs for stapling warnings.

Nginx SSL Configuration Guide

Related

Frequently Asked Questions

Q.Why use fullchain.pem instead of only the leaf certificate?

Q.What does ssl_stapling do?

Q.Which TLS protocols should I enable?

Q.How should session ticket keys be managed?

Q.Why configure a resolver for stapling?

Q.What is ssl_prefer_server_ciphers for?

Q.How do I enable HTTP/2 on nginx?

Q.What breaks if OCSP stapling cannot fetch?

Nginx SSL Configuration Guide

Related

Frequently Asked Questions

Q.Why use fullchain.pem instead of only the leaf certificate?

Q.What does ssl_stapling do?

Q.Which TLS protocols should I enable?

Q.How should session ticket keys be managed?

Q.Why configure a resolver for stapling?

Q.What is ssl_prefer_server_ciphers for?

Q.How do I enable HTTP/2 on nginx?

Q.What breaks if OCSP stapling cannot fetch?