Nginx HSM integration for SSL termination

gaurav gupta 1989.gaurav at
Mon Jun 15 14:28:27 UTC 2015

Hello Maxim,

Thanks for your prompt response. OpenSSL engine responsible for the
behavior makes lot of sense. I am sorry since "pkey =
ENGINE_load_private_key(engine, (char *) last, 0, 0);" confused me and made
me assume that its getting loaded during startup.

I am using engine_pkcs11 to integrate with HSM. I will dive deeper in the
engine code to understand and tweak behavior.

Thanks again for your help.

On Mon, Jun 15, 2015 at 7:42 PM, Maxim Dounin <mdounin at> wrote:

> Hello!
> On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote:
> > Hello Folks,
> >
> > Currently we store ssl private keys in file on production servers. We are
> > looking to move SSL keys to HSM for security reasons so private key never
> > leave HSM. After heart bleed, I found lot of suggestions to move SSL keys
> > to HSM so keys are inaccessible, but could not find any direct
> integration
> > for nginx.
> >
> > On some search I found Dmitri's patch
> >,251983,255297#msg-255297 to support
> > engine Keyform to load SSL key. I was able to get it working and work
> like
> > magic, But as far as I understand its still loaded in memory every time
> > nginx starts. Benefit of loading ssl key from HSM is that key is not
> stored
> > in plain text file, but its still in memory.
> >
> > Can you please suggest how can we use HSM to perform Asym crypto
> operations
> > as well so private key never leave HSM.
> >
> > PS: I found accessl which makes use of
> > openssl engine mechanism to offload Key storage and crypto operations.
> The patch in question was committed in 1.7.9, and available all
> recent versions of nginx.  It allows to load keys from arbitrary
> OpenSSL engines, and what "load" means depends on the engine used.
> That is, it's up to OpenSSL engine to avoid actual loading of keys
> into memory.
> --
> Maxim Dounin

Thanks & Regards,
Gaurav Gupta

"Quality is never an accident. It is always result of intelligent effort" -
John Ruskin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx-devel mailing list