One challenge that we have is the DH params group file. I’d prefer to generate this on the server but it
takes too long to be practical. I have excluded it for the time being as it makes not sense to generate it
but then store it in a git repos.
However, your deployment process may be different so if you can take advatage of it, generate it as follows:
Beyond that we are encrypting our keyfile and then only provide the password to the production ENV.
The resulting config looks as follows:
In my case, we use distillery and read much of our configuration from the ENV. And we are not generating the DHPARAMS
So our file looks more like this:
Note that we are setting files paths dynamically which allows us to switch between certificate sets between staging
and production ENVs.
When I started writing Apps and APIs, phones had buttons!