[PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Vesa Jääskeläinen vesa.jaaskelainen at vaisala.com
Wed Jul 12 14:07:03 UTC 2023

(I hope this goes properly out as I had major issues with hg email so
combined hg export + git send-email)

It is convenient to keep X.509 certificates related to key pairs stored in
openssl engine within the engine.

Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from
the engine. This extension is not supported by all engines and in those
cases it should report with an error.

Configuration is similar to what it is for 'ssl_certificate_key'.

First certificate must match with ssl_certificate_key's key pair rest of
the certificiates are added to the certificate chain.

Example configuration with libp11's pkcs11 engine:

  ssl_certificate      "engine:pkcs11:pkcs11:token=mytoken;object=mykey
  ssl_certificate_key  "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin";

Tested the loading with two pkcs11 implementations SoftHSMv2 and with
OP-TEE's PKCS11 Trusted Application running on Embedded Linux device.

First three commits is the main beef and in order to make it more flexible
added also last commit allowing intermediate certificates loaded from file

Separator of space is used as there was already existing use of array for
ssl_certificate configuration.

Vesa Jääskeläinen

More information about the nginx-devel mailing list