Hello,
The attached patch allows loading PKCS #11 URLs in the
ssl_certificate_key.
That is, one only needs to specify:
ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
-value=1234"
to access a key in a HSM. That's the only step required.
That extends the previous approach which is generic, but tedious, and
requires modifying openssl config files shared with other apps.
See [0] for comparison.
This works with the latest engine_pkcs11, and p11-kit (which takes care
of module registration).
Note that PKCS #11 URLs, described in RFC7512, are becoming the way to
specify keys stored in PKCS #11 modules. engine_pkcs11 supports them
already, as well as gnutls natively. See also fedora's stance on them
[1].
regards,
Nikos
[0].
http://mailman.nginx.org/pipermail/nginx-devel/2014-October/006151.html
[1]. https://fedoraproject.org/wiki/Packaging:SSLCertificateHandling
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel