Securing the HTTPS private key
mdounin at mdounin.ru
Thu Nov 15 13:03:14 UTC 2018
On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:
> does NGINX support any mechanisms to securely access the private
> key of server certificates?
> Specifically, could NGINX make a request to a key store, rather
> than reading from a local file?
> Are there any best practices for keeping private keys secure?
> I understand the basics. The key file should only be readable by
> root. I cannot protect the key with a pass-phrase, as NGINX
> needs to start and restart autonomously.
You actually can protect the key using a passphrase, see
http://nginx.org/r/ssl_password_file. Though this might not be
the best idea due to basically the same security provided, while
involving higher complexity.
Also, you can use "engine:..." syntax to load keys via OpenSSL
engines. This allows using various complex key stores, including
hardware tokens, to access keys, though may not be trivial to
More information about the nginx