Securing the HTTPS private key
Robert Paprocki
rpaprocki at fearnothingproductions.net
Wed Nov 14 20:21:57 UTC 2018
Hi,
You might want to consider something like OpenResty, which allows for serving certificates on the fly with Lua logic. You can use this to fetch cert/key material via Vault or some other secure data store that can be accessed via TCP (or you could also keep the encrypted private key on-disk and fetch the secret at worker initialization via some Lua logic). See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md for an example of the former.
> On Nov 14, 2018, at 12:17, Roger Fischer <roger at netskrt.io> wrote:
>
> Hello,
>
> does NGINX support any mechanisms to securely access the private key of server certificates?
>
> Specifically, could NGINX make a request to a key store, rather than reading from a local file?
>
> Are there any best practices for keeping private keys secure?
>
> I understand the basics. The key file should only be readable by root. I cannot protect the key with a pass-phrase, as NGINX needs to start and restart autonomously.
>
> Thanks…
>
> Roger
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20181114/48e847b9/attachment.html>
More information about the nginx
mailing list