Skip to content

SSL/TLS Configuration Generator

SSL/TLS Configuration Generator

Generate secure SSL/TLS configs for Nginx, Apache, Caddy, HAProxy, and Traefik. Based on Mozilla’s recommendations.

✓ 5 Web Servers
✓ Mozilla Guidelines
✓ 100% Client-Side
✓ Free & Open

Web Server

N
Nginx
A
Apache
C
Caddy
H
HAProxy
T
Traefik

Security Level

🛡️

Modern

A+ rating, TLS 1.3 only, may break old clients

🔐

Intermediate

Good balance of security and compatibility

🔓

Old

Maximum compatibility, lower security

TLS Version

TLS 1.2 Only
TLS 1.2 + 1.3
TLS 1.3 Only

Features

HSTS (HTTP Strict Transport Security)

Forces HTTPS connections and prevents downgrade attacks

HSTS Preload

Include domain in browser preload lists (requires HSTS)

OCSP Stapling

Improves performance by bundling certificate status

Session Resumption

Faster reconnections by reusing TLS sessions

HTTP/2

Enable HTTP/2 protocol for better performance

Certificate Pinning

Pin specific certificates (advanced, risky if misconfigured)

Configuration

# Nginx SSL/TLS Configuration (Modern) # Generated by ReleaseRun SSL/TLS Configuration Generator server { listen 443 ssl http2; server_name example.com; # Certificate and key ssl_certificate /path/to/certificate.pem; ssl_certificate_key /path/to/private.key; # TLS Configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # Security Headers add_header Strict-Transport-Security “max-age=63072000; includeSubDomains; preload” always; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/ca-bundle.pem; # Session Configuration ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Your application configuration here }
🔍 Test Your SSL Configuration

Compatible Clients

Frequently Asked Questions

What’s the difference between Modern, Intermediate, and Old security levels?

Modern uses only TLS 1.3 with the strongest ciphers for maximum security but may break older clients. Intermediate supports TLS 1.2 and 1.3 with strong ciphers for balanced security and compatibility. Old includes legacy protocols and weaker ciphers for maximum compatibility with very old clients.

Should I enable HSTS and HSTS Preload?

Yes, HSTS prevents downgrade attacks and ensures all connections use HTTPS. HSTS Preload adds your domain to browser preload lists but requires careful consideration – once enabled, it’s difficult to reverse. Only enable preload if you’re confident your site will always support HTTPS.

Is certificate pinning safe to use?

Certificate pinning provides strong protection against certificate authority compromise but is risky if misconfigured. If your pinned certificate expires or changes without updating the configuration, you’ll lock out all users. Only use pinning if you have robust certificate management processes in place.

How do I test my SSL/TLS configuration?

Use tools like SSL Labs Server Test, our SSL Checker tool, or command-line tools like openssl s_client and testssl.sh. These tools will verify your cipher suites, protocol support, and identify potential security issues.

How often should I update my SSL/TLS configuration?

Review your configuration every 6-12 months or when new vulnerabilities are discovered. Stay updated with Mozilla’s SSL Configuration Generator recommendations, disable deprecated protocols and ciphers, and ensure you’re using current TLS versions.

Related Resources

Founded

2023 in London, UK

Contact

hello@releaserun.com

</> Embed SSL/TLS Configuration Generator

Copy this iframe snippet to embed this tool on your website. The tool runs client-side and includes a "Powered by ReleaseRun" attribution.

Preview: Open embed view