Perfect forward secrecy and HSTS with nginx

Today, I enabled perfect forward secrecy on my nginx installation. I’m writing down the config so I can easily find it later.

Certificate signing with an ePass2003

I have a fairly creative ssl setup on my webserver: I run my own ‘certificate authority’ which signs the server certificate; I have a bunch of alternative names specified; The CA certificate sits on an ePass 2003 PKI token. I’m writing down how I sign certificates in this context so I can use this to look up the procedure instead of spending hours in DuckDuckGo. This is more of a tutorial than elegant prose.