Securing the HTTPS private key
rpaprocki at fearnothingproductions.net
Wed Nov 14 20:21:57 UTC 2018
You might want to consider something like OpenResty, which allows for serving certificates on the fly with Lua logic. You can use this to fetch cert/key material via Vault or some other secure data store that can be accessed via TCP (or you could also keep the encrypted private key on-disk and fetch the secret at worker initialization via some Lua logic). See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md for an example of the former.
> On Nov 14, 2018, at 12:17, Roger Fischer <roger at netskrt.io> wrote:
> does NGINX support any mechanisms to securely access the private key of server certificates?
> Specifically, could NGINX make a request to a key store, rather than reading from a local file?
> Are there any best practices for keeping private keys secure?
> I understand the basics. The key file should only be readable by root. I cannot protect the key with a pass-phrase, as NGINX needs to start and restart autonomously.
> nginx mailing list
> nginx at nginx.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the nginx