Hi,
You might want to consider something like OpenResty, which allows for serving certificates on the fly with Lua logic. You can use this to fetch cert/key material via Vault or some other secure data store that can be accessed via TCP (or you could also keep the encrypted private key on-disk and fetch the secret at worker initialization via some Lua logic). See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md for an example of the former.
> On Nov 14, 2018, at 12:17, Roger Fischer <roger@netskrt.io> wrote:
>
> Hello,
>
> does NGINX support any mechanisms to securely access the private key of server certificates?
>
> Specifically, could NGINX make a request to a key store, rather than reading from a local file?
>
> Are there any best practices for keeping private keys secure?
>
> I understand the basics. The key file should only be readable by root. I cannot protect the key with a pass-phrase, as NGINX needs to start and restart autonomously.
>
> Thanks…
>
> Roger
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx