Welcome! Log In Create A New Profile

Advanced

Re: Securing the HTTPS private key

November 15, 2018 05:42PM
HI

isn't this a bit futile, if they can get onto the box that has nginx they
can get either the private key or secret to get the private key.

safer would be to make it that you need human interact to start nginx.

But till a memory dump of the app would get you the private key.




On Fri, 16 Nov 2018 at 00:03, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:
>
> > Hello,
> >
> > does NGINX support any mechanisms to securely access the private
> > key of server certificates?
> >
> > Specifically, could NGINX make a request to a key store, rather
> > than reading from a local file?
> >
> > Are there any best practices for keeping private keys secure?
> >
> > I understand the basics. The key file should only be readable by
> > root. I cannot protect the key with a pass-phrase, as NGINX
> > needs to start and restart autonomously.
>
> You actually can protect the key using a passphrase, see
> http://nginx.org/r/ssl_password_file. Though this might not be
> the best idea due to basically the same security provided, while
> involving higher complexity.
>
> Also, you can use "engine:..." syntax to load keys via OpenSSL
> engines. This allows using various complex key stores, including
> hardware tokens, to access keys, though may not be trivial to
> configure.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Securing the HTTPS private key

Roger Fischer November 14, 2018 03:18PM

Re: Securing the HTTPS private key

Robert Paprocki November 14, 2018 03:22PM

Re: Securing the HTTPS private key

Maxim Dounin November 15, 2018 08:04AM

Re: Securing the HTTPS private key

alexsamad November 15, 2018 05:42PM

Re: Securing the HTTPS private key

Roger Fischer November 16, 2018 01:04AM

Re: Securing the HTTPS private key

Anonymous User November 16, 2018 03:06AM

Re: Securing the HTTPS private key

Patrick Laimbock November 16, 2018 08:08AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 101
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready