patch to allow loading PKCS #11 URLs

Nikos Mavrogiannopoulos nmav at redhat.com
Fri Jun 19 14:39:48 UTC 2015


On Fri, 2015-06-19 at 17:07 +0300, Maxim Dounin wrote:
> 
> Have you tried
> ssl_certificate_key 
> "engine:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin-value=1234";
> instead?
> I don't see how it's different from the code you propose.

Hi,
 Yes, I've tried it. It would be specified as:
"engine:pkcs11:pkcs11:model=SoftHSM%20v2serial=f0490bea35;pin
-value=1234";

But doesn't work, because it doesn't initialize the pkcs11 engine.
Furthermore, the "engine:pkcs11:pkcs11:" approach defeats the purpose
of PKCS #11 URLs which is to use the same string to identify the same
keys on all applications.

regards,
Nikos



More information about the nginx-devel mailing list