🔒

SSL/TLS Config Generator

Generate secure SSL/TLS configurations for Nginx, Apache, Caddy, and HAProxy with Modern, Intermediate, or Legacy security levels.

ssl config generatortls configuration toolnginx ssl setupapache ssl configurationhaproxy sslcaddy tlsssl cipher suiteshsts configuration

Server

Security Level

Certificate Paths

Options

Generated Configuration

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/ssl/certs/cert.pem;
    ssl_certificate_key /etc/ssl/private/key.pem;

    # Intermediate configuration - TLS 1.2+
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # Disable session tickets for forward secrecy
    ssl_session_tickets off;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/ssl/certs/chain.pem;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
}

What is SSL/TLS Config Generator?

SSL/TLS Config Generator is a free online tool that creates secure SSL/TLS configurations for popular web servers including Nginx, Apache, Caddy, and HAProxy. Choose from Modern (TLS 1.3 only), Intermediate (TLS 1.2+), or Old (TLS 1.0+) security levels, customize certificate paths, and toggle HSTS, OCSP stapling, and session tickets. The generated configuration follows Mozilla's SSL Configuration recommendations.

Common Use Cases

Server Hardening

Generate secure TLS configurations when setting up or hardening production web servers.

Compliance Requirements

Create configurations that meet PCI DSS, HIPAA, or other compliance standards for TLS.

Migration Planning

Generate configs for different security levels when planning TLS version upgrades.

Multi-Server Environments

Quickly produce consistent SSL configurations across Nginx, Apache, Caddy, and HAProxy.

How to Use This Tool

  1. Select your web server (Nginx, Apache, Caddy, or HAProxy)
  2. Choose a security level: Modern (TLS 1.3), Intermediate (TLS 1.2+), or Old (TLS 1.0+)
  3. Enter your certificate, key, and chain file paths
  4. Toggle HSTS, OCSP stapling, and session tickets as needed
  5. Copy the generated configuration and paste it into your server config file

Frequently Asked Questions

Which security level should I choose?
Use Modern (TLS 1.3 only) for maximum security if all your clients support it. Intermediate (TLS 1.2+) is the best balance for most websites. Use Old (TLS 1.0+) only if you must support very old clients like IE 11 on Windows 7.
What is HSTS and should I enable it?
HSTS (HTTP Strict Transport Security) tells browsers to always use HTTPS. You should enable it on production sites that are fully HTTPS. The default max-age of 63072000 seconds (2 years) is recommended.
What is OCSP stapling?
OCSP stapling lets your server provide certificate revocation status directly, improving TLS handshake performance and user privacy. It is recommended to enable it.
Is my configuration data sent to any server?
No. Everything runs entirely in your browser. No data is transmitted or stored anywhere.

Related Tools

SSL Certificate Checker → CSP Builder →

Learn More

SSL/TLS Config Generator is a free online tool that requires no signup or installation. It works directly in your browser, keeping your data private and secure.