I’m now using free certificates provided by Let’s Encrypt, a new certificate authority from the Linux Foundation that provides free certificates for all, and has a nice automatable method for renewing the certificates. This is necessary as the certs are only valid for 90 days (intentionally, for security reasons). Free certificates have been available before from StartSSL, but it was awkward to use. Let’s encrypt seems to be getting lots of attention, and some big industry sponsors including Mozilla, Cisco and Google Chrome.
I found this article How To Secure Nginx with Let’s Encrypt really useful as the nginx plugin for Let’s Encrypt is still in an alpha state and not recommended.
Once I’d got it working I generated a secure SSL config with no old ciphers enabled using Mozilla’s SSL config generator
Finally, to test my configuration I used Qualys' SSL Server Test which after using the above configuration gives the site’s SSL config an ‘A’ security rating.