nginx_critical

CAUTION: The above config file assumes that the TLS/SSL certificate is stacked. A stacked/bundled certificate is the concatenation of the actual certificate and the local certificate authority chain of certificates.

Now, we just just have few more steps:

Verify the TLS certificate

openssl x509 -in /etc/pki/tls/certs/example-stacked.crt -text -noout

Verify the TLS private key

openssl rsa -in /etc/pki/tls/private/example.pem -check

CAUTION: If your certificate or the private key is not correct, Nginx will not start. Check the validity before restarting Nginx

Some critical things that remain are:

Create or download non-standard Diffie-Hellman parameters.

Either generate new ones yourself:

openssl dhparam -outform pem -out /etc/pki/tls/dhparam.pem 2048

Or download from Mozilla:

curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/pki/tls/dhparam.pem

Tell SELinux that Nginx can connect

setsebool -P httpd_can_network_connect=true

Now we can restart Nginx

Now, we just just have few more steps:​

Verify the TLS certificate

Verify the TLS private key

openssl rsa -in /etc/pki/tls/private/example.pem -check​