Securing NGINX (Debian/Ubuntu)

Step 2a - Create and Secure NGINX Key & Certificate Store

Creating and Securing the NGINX Key/Certificate Store

Change to the NGINX Directory

 cd /etc/nginx

Create the SSL Directory

 mkdir ssl 

Change permissions on the SSL Directory

 chmod 644 ssl 

Copy the Keys to the SSL directory

 cp /etc/ssl/private/*.key /etc/nginx/ssl 

Change permissions on the Keys

 chmod 640 ssl/*.key

Copy the Certificates to the SSL directory

Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate

 cp /etc/ssl/private/*.crt /etc/nginx/ssl 

Change permissions on the Certificates

 chmod 644 ssl/*.crt

Generating Diffie-Hellman (DH) and Elliptical Curve Parameters

With Perfect Forward Secrecy (PFS), if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).
BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!

Change to the NGINX SSL directory

 cd /etc/nginx/ssl

Generate the DH Params file (Mandatory Step - Takes a long time to generate)

We here at Zombie suggest 4096 bit (2048 bit is the minimum) but we use 8192 bit which takes a significant amount of time to create. Unless you really need 8192, use 4096 bit.

 openssl dhparam -out dhparam.pem 4096

Set permissions on the DH PEM file (Mandatory Step)

 chmod 640 *.pem

Change to the OpenSSL directory

 cd /etc/ssl/certs

Generate the EC Params file (Recommended -EC generation is quick)

You can generate a file for each curve if you like or just the ones that are being used. We here at Zombie will be using both secp521r1 and secp384r1 for our configuration.

 openssl ecparam -name secp384r1 -out secp384r1.pem

Check the EC Param file

 openssl ecparam -in secp384r1.pem -check

Creating a private key w/ the EC Parameters file

 openssl ecparam -in secp384r1.pem -genkey -noout -out secp384r1.key

Creating a private key w/o the EC Parameters file

 openssl ecparam -name secp384r1 -noout -out secp384r1.key -genkey

Set permissions of the EC Pem file

 chmod 640 *.pem

To print out the EC Parameters to standard output

 openssl ecparam -in secp384r1.pem -noout -text

List available EC Curves in OpenSSL

 openssl ecparam -list_curves

Creating a private key with the X25519 Algorithm

 openssl genpkey -algorithm X25519 -out X25519.key 

Creating a private key with the X448 Algorithm

 openssl genpkey -algorithm X448 -out X448.key

List available Algorithms in OpenSSL

 openssl list -public-key-algorithms