Create & Secure NGINX Key/Certificate Store (Fedora/RedHat)

Securing NGINX (Fedora/RedHat)

Step 2a - Create and Secure NGINX Key & Certificate Store

Creating and Securing the NGINX Key/Certificate Store

Change to the NGINX Directory

 Copy cd /etc/nginx

Create the SSL Directory

 Copy mkdir ssl

Change permissions on the SSL Directory

 Copy chmod 644 ssl

Copy the Keys to the SSL directory

 Copy cp /etc/ssl/private/*.key /etc/nginx/ssl

Change permissions on the Keys

 Copy chmod 640 ssl/*.key

Copy the Certificates to the SSL directory

Do not forget to move the www_EXAMPLE_com.crt & EXAMPLE_com_CA.crt to the directory if you have a CA Signed Certificate

 Copy cp /etc/ssl/private/*.crt /etc/nginx/ssl

Change permissions on the Certificates

 Copy chmod 644 ssl/*.crt

Generating Diffie-Hellman (DH) and Elliptical Curve Parameters

With Perfect Forward Secrecy (PFS), if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a Man in the Middle attack (MiTM).
BTW - This procedure will take some time. Generating the DH Parameters puts a HUGE load on the server, so keep this in mind!

Change to the NGINX SSL directory

 Copy cd /etc/nginx/ssl

Generate the DH Params file (Mandatory Step - Takes a long time to generate)

We here at Zombie suggest 4096 bit (2048 bit is the minimum) but we use 8192 bit which takes a significant amount of time to create. Unless you really need 8192, use 4096 bit.

 Copy openssl dhparam -out dhparam.pem 4096

Set permissions on the DH PEM file (Mandatory Step)

 Copy chmod 640 *.pem

Change to the OpenSSL directory

 Copy cd /etc/ssl/certs

Generate the EC Params file (Recommended -EC generation is quick)

You can generate a file for each curve if you like or just the ones that are being used

 Copy openssl ecparam -name secp384r1 -out secp384r1.pem

Check the EC Param file

 Copy openssl ecparam -in secp384r1.pem -check

Creating a private key w/ the EC Parameters file

 Copy openssl ecparam -in secp384r1.pem -genkey -noout -out secp384r1.key

Creating a private key w/o the EC Parameters file

 Copy openssl ecparam -name secp384r1 -noout -out secp384r1.key -genkey

Set permissions of the EC Pem file

 Copy chmod 640 *.pem

To print out the EC Parameters to standard output

 Copy openssl ecparam -in secp384r1.pem -noout -text

List available EC Curves in OpenSSL

 Copy openssl ecparam -list_curves

Creating a private key with the X25519 Algorithm

 Copy openssl genpkey -algorithm X25519 -out X25519.key

Creating a private key with the X448 Algorithm

 Copy openssl genpkey -algorithm X448 -out X448.key

List available Algorithms in OpenSSL

 Copy openssl list -public-key-algorithms

PREVIOUS NEXT