[PATCH 0/4] SSL: Add support for loading X.509 certificates from openssl engine

Maxim Dounin mdounin at mdounin.ru
Thu Jul 13 00:48:42 UTC 2023


On Wed, Jul 12, 2023 at 05:07:03PM +0300, Vesa Jääskeläinen via nginx-devel wrote:

> (I hope this goes properly out as I had major issues with hg email so
> combined hg export + git send-email)
> It is convenient to keep X.509 certificates related to key pairs stored in
> openssl engine within the engine.
> Implementation uses 'LOAD_CERT_CTRL' extension to fetch certificate from
> the engine. This extension is not supported by all engines and in those
> cases it should report with an error.
> Configuration is similar to what it is for 'ssl_certificate_key'.
> First certificate must match with ssl_certificate_key's key pair rest of
> the certificiates are added to the certificate chain.
> Example configuration with libp11's pkcs11 engine:
>   ssl_certificate      "engine:pkcs11:pkcs11:token=mytoken;object=mykey
>                         engine:pkcs11:pkcs11:token=mytoken;object=int-ca";
>   ssl_certificate_key  "engine:pkcs11:pkcs11:token=mytoken;object=mykey?pin-value=mypin";
> Tested the loading with two pkcs11 implementations SoftHSMv2 and with
> OP-TEE's PKCS11 Trusted Application running on Embedded Linux device.
> First three commits is the main beef and in order to make it more flexible
> added also last commit allowing intermediate certificates loaded from file
> system.
> Separator of space is used as there was already existing use of array for
> ssl_certificate configuration.

Just in case, a similar proposal was previously discussed here:


Notably, the review is here:


I'm additionally sceptical about this given that engine interface 
is deprecated by OpenSSL.

Maxim Dounin

More information about the nginx-devel mailing list