patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos nmav at
Fri Jun 19 13:49:48 UTC 2015

 The attached patch allows loading PKCS #11 URLs in the

That is, one only needs to specify:
ssl_certificate_key "pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin

to access a key in a HSM. That's the only step required.
That extends the previous approach which is generic, but tedious, and
requires modifying openssl config files shared with other apps.
See [0] for comparison.

This works with the latest engine_pkcs11, and p11-kit (which takes care
of module registration).

Note that PKCS #11 URLs, described in RFC7512, are becoming the way to
specify keys stored in PKCS #11 modules. engine_pkcs11 supports them
already, as well as gnutls natively. See also fedora's stance on them


-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-pkcs11.patch
Type: text/x-patch
Size: 2174 bytes
Desc: not available
URL: <>

More information about the nginx-devel mailing list