This reminds me of policy agent on z/OS. I would think ngnix has a manual on adding cipher suites, creating certificate stores, and handling handshakes for encryption in transit. RACF had ISPF utilities for adding certificate trust chains and creating RSA or ECDSA compatible certs.

Use this generator as your base (update nginx/SSL versions appropriately if you run into issues) and add in your custom well-known block in the first server block and your proxy_pass location block in the SSL server block:

https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&ocsp=false&guideline=5.6