SSL/TLS Certificates for .onion Sites

Tor provides transport-layer encryption between the client and the rendezvous point, but HTTPS adds application-layer security that protects against several additional threat models. An SSL certificate for your .onion address proves to visitors that they have connected to the authentic site, not a phishing clone with a similar-looking address.

HTTPS also enables HTTP/2, which significantly improves page load performance over Tor's already-high latency connections. Browsers display the familiar padlock icon, increasing user trust. Additionally, some web applications and APIs require HTTPS for features like service workers, secure cookies, and WebSocket connections.

The CA/Browser Forum's Ballot SC27 in 2020 formally allowed Certificate Authorities to issue Domain Validation certificates for .onion domains, treating them as special-use domains under RFC 7686. This opened the door for legitimate SSL/TLS on Tor hidden services.

Harica (Hellenic Academic and Research Institutions CA) is the most accessible CA currently issuing .onion certificates. The process involves proving ownership of your .onion address by serving a validation token via your hidden service:

# 1. Create an account at harica.gr and request a DV certificate
# 2. Select "Server Certificate" and enter your .onion address
# 3. Harica provides a validation token file

# 4. Serve the token from your hidden service:
mkdir -p /var/www/onion/.well-known/pki-validation/
echo "harica-token-value-here" > \
  /var/www/onion/.well-known/pki-validation/fileauth.txt

# 5. Harica validates by connecting to your .onion over Tor
# 6. Certificate is issued — download the full chain

The validation process requires Harica to connect to your .onion address over the Tor network and verify the token file is served correctly. This typically takes a few minutes to a few hours. Once validated, you receive your certificate and the intermediate CA chain.

After obtaining your certificate files, configure Nginx to serve HTTPS on your .onion address. You will need to update your torrc to also forward port 443:

# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/my_hidden_service/
HiddenServicePort 80 127.0.0.1:8080
HiddenServicePort 443 127.0.0.1:8443
HiddenServiceVersion 3

# /etc/nginx/sites-available/onion-ssl
server {
    listen 127.0.0.1:8080;
    server_name your56char.onion;
    return 301 https://$host$request_uri;
}

server {
    listen 127.0.0.1:8443 ssl http2;
    server_name your56char.onion;

    ssl_certificate /etc/ssl/onion/fullchain.pem;
    ssl_certificate_key /etc/ssl/onion/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/onion;
    index index.html;

    access_log off;
    error_log /dev/null;
}

Harica certificates are typically valid for one year. Set a calendar reminder to renew before expiration, as automated renewal via ACME is not yet widely supported for .onion domains.

AnubizHost can assist with obtaining and installing Harica SSL certificates for your .onion hidden service. Our managed Tor hosting plans include pre-configured HTTPS support, and our team handles the certificate validation and renewal process for you.

With offshore servers in Iceland, Romania, and Finland, your HTTPS-enabled .onion site benefits from privacy-friendly jurisdictions and high-performance infrastructure. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. Get a fully encrypted, authenticated .onion site running in minutes.