Welcome! Log In Create A New Profile

Re: Securing the HTTPS private key

Forum List Message List New Topic Print View

Maxim Dounin

November 15, 2018 08:04AM

Hello!

On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:

> Hello,
>
> does NGINX support any mechanisms to securely access the private
> key of server certificates?
>
> Specifically, could NGINX make a request to a key store, rather
> than reading from a local file?
>
> Are there any best practices for keeping private keys secure?
>
> I understand the basics. The key file should only be readable by
> root. I cannot protect the key with a pass-phrase, as NGINX
> needs to start and restart autonomously.

You actually can protect the key using a passphrase, see
http://nginx.org/r/ssl_password_file. Though this might not be
the best idea due to basically the same security provided, while
involving higher complexity.

Also, you can use "engine:..." syntax to load keys via OpenSSL
engines. This allows using various complex key stores, including
hardware tokens, to access keys, though may not be trivial to
configure.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Securing the HTTPS private key	Roger Fischer	November 14, 2018 03:18PM
Re: Securing the HTTPS private key	Robert Paprocki	November 14, 2018 03:22PM
Re: Securing the HTTPS private key	Maxim Dounin	November 15, 2018 08:04AM
Re: Securing the HTTPS private key	alexsamad	November 15, 2018 05:42PM
Re: Securing the HTTPS private key	Roger Fischer	November 16, 2018 01:04AM
Re: Securing the HTTPS private key	Anonymous User	November 16, 2018 03:06AM
Re: Securing the HTTPS private key	Patrick Laimbock	November 16, 2018 08:08AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 265

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018