Installation and Upgrade > Advanced Deployment Considerations > Authentication > TLS 1.2 and TLS 1.3 Support for Windchill
  
TLS 1.2 and TLS 1.3 Support for Windchill
Starting Windchill 12.0.2.0, TLS 1.3 is a supported option and is set as the default configuration. TLS 1.2 support is continued and can be configured manually as mentioned below in the same topic.
Following Windchill clients and integrated solutions do not support TLS 1.3:
Thingworx/Navigate
Cognos
Windchill with CAC PKI authentication.
* 
PTC does not recommend TLS 1.1 (or earlier) configurations. You can use TLS 1.2 or TLS 1.3 in Windchill configurations.
Enabling TLS 1.2
Option to configure TLS 1.2 manually is available. Follow the below mentioned steps for the TLS 1.2 configuration:
1. Update the mod_ssl.conf.template file located at <ApacheHome>/conf/template/ as below:

SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2
2. Run the command from Windchill shell and <Apache_Home>:
ant -f config.xml reconfigure
3. Restart the Apache HTTP server.
Configuring TLS 1.3 CipherSuites for Windchill
Windchill does not explicitly set any CipherSuite value OOTB for TLS 1.3. Windchill Apache HTTP Server uses OpenSSL for TLS implementation. If you want to update the WindchillTLS 1.3 CipherSuite configuration, follow the Apache HTTP Server 2.4 documentation for SSLCipherSuite and SSLProxyCipherSuite directives.
For more information on TLS 1.3 CipherSuites, refer OpenSSL article TLS 1.3. Follow the below mentioned steps after configuring TLS 1.3 CipherSuites for Windchill.
Run the command below from <Apache_Home> and Windchill shell.
ant -f config.xml reconfigure
Restart Apache HTTP Server.