Welcome! Log In Create A New Profile

Advanced

On-demand SSL Cert key loading

Amarnath B S
March 18, 2021 06:02AM
All,
We have a requirement where the certificate keys need to be loaded only in
Nginx memory. That is, saving it in the local FS is not an option. Also, we
need the cert key to be present in Nginx memory only when there are active
lookups to it (requests to the virtual server using the cert). When there
are no requests, the cert key should be flushed from the memory and
reloaded from a KMS (key mgmt server) on-demand through client
authentication (Nginx authenticating to the KMS as a client). Pls provide
pointers if you have insight into such or a similar requirement.

I referred to best practices in this Nginx blog
<https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/#update-web-server-config-nginx>.
However, not all of our requirements are met. There are a few questions:
a) Does the ngx_http_ssl_module
http://nginx.org/en/docs/http/ngx_http_ssl_module.html load the
certificate on demand or during config parse? Once loaded, does it always
stay in memory, whether used or not?
b) Is it possible to load the certificate key through a sub-request
on-demand (that is when SSL hand-shake is initiated)?

Thanks in advance,

-Amar
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

On-demand SSL Cert key loading

Amarnath B S March 18, 2021 06:02AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 50
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready