chmod 644 ssl
cp /etc/ssl/private/*.key /etc/nginx/ssl
chmod 640 ssl/*.key
Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate
cp /etc/ssl/private/*.crt /etc/nginx/ssl
chmod 644 ssl/*.crt
With Perfect Forward Secrecy (PFS), if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).
BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!
We here at Zombie suggest 4096 bit (2048 bit is the minimum) but we use 8192 bit which takes a significant amount of time to create. Unless you really need 8192, use 4096 bit.
openssl dhparam -out dhparam.pem 4096
chmod 640 *.pem
You can generate a file for each curve if you like or just the ones that are being used. We here at Zombie will be using both secp521r1 and secp384r1 for our configuration.
openssl ecparam -name secp384r1 -out secp384r1.pem
openssl ecparam -in secp384r1.pem -check
openssl ecparam -in secp384r1.pem -genkey -noout -out secp384r1.key
openssl ecparam -name secp384r1 -noout -out secp384r1.key -genkey
chmod 640 *.pem
openssl ecparam -in secp384r1.pem -noout -text
openssl ecparam -list_curves
openssl genpkey -algorithm X25519 -out X25519.key
openssl genpkey -algorithm X448 -out X448.key
openssl list -public-key-algorithms