Since I use Nginx over Apache, I don’t have the same native things available with the current demo, and as I work to demonstrate its capabilities for our next-generation servers, I developed a few things I have open-sourced to smooth out the process.
1st, I have a
cli.ini for letsencrypt that uses a larger key size. 2048 is the standard, and quite common, but I try to keep ahead of the curve unless that’s detrimental in some way.
2nd, there is
Generate.sh. Running this makes a session ticket key, as well as a 4096 bit DHParam. This takes quite a while, and does break older Java and IE implementations, but works fine from IE 9 and above.
.bash_aliases file contains the function definition for
renew-ssl which can be run as
renew-ssl example.com or
renew-ssl example.com -d www.example.com
Finally there is the
nginx.conf file, which contains basic setup, extensionless PHP, SSL definitions for auto-updated keys, session tickets, DH Parameters, Protocols, and various cipher lists for various degrees of balance between security and compatibility. It also includes SSL Stapling, OSCP, HSTS, and SPDY, although I hope to replace that with HTTP/2 soon.
It is possible to get 100% throughout with this script, but it breaks so many browsers the default setting is 90% minimum (shown above), which only fails on IE 6 and below (urgh) and Java 6 (which is now two versions behind, but still very popular).
Ultimately the final configuration is up to you, and it relies on the rest of your system being secure too, but this is where I will be starting from from here on in.