Let us create a place to securely hold the Public/Private Keys and Certificates
chmod 644 ssl/
cp /etc/pki/tls/private/*.key /etc/httpd/ssl
chmod 640 ssl/*.key
Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate
cp /etc/pki/tls/private/*.crt /etc/httpd/ssl
chmod 644 ssl/*.crt
With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).
BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!
If you have time, we recommend using 8192 instead of 4096 bit in the command below.
openssl dhparam -out dhparam.pem 4096
chmod 640 *.pem
You can generate a file for each curve if you like or just the ones that are being used
openssl ecparam -name prime256v1 -out prime256v1.pem
openssl ecparam -in prime256v1.pem -check
openssl ecparam -in prime256v1.pem -genkey -noout -out prime256v1.key
openssl ecparam -name (prime256v1 or secp384r1 or secp521r1) -noout -out ec_key.pem -genkey
chmod 640 *.pem
openssl ecparam -in prime256v1.pem -noout -text
openssl ecparam -list_curves
You can append the DHparams you generated earlier to the end of your certificate file. The documentation for that is here