Securing the HTTPS private key

Maxim Dounin mdounin at mdounin.ru
Thu Nov 15 13:03:14 UTC 2018


Hello!

On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:

> Hello,
> 
> does NGINX support any mechanisms to securely access the private 
> key of server certificates?
> 
> Specifically, could NGINX make a request to a key store, rather 
> than reading from a local file?
> 
> Are there any best practices for keeping private keys secure?
> 
> I understand the basics. The key file should only be readable by 
> root. I cannot protect the key with a pass-phrase, as NGINX 
> needs to start and restart autonomously.

You actually can protect the key using a passphrase, see 
http://nginx.org/r/ssl_password_file.  Though this might not be 
the best idea due to basically the same security provided, while 
involving higher complexity.

Also, you can use "engine:..." syntax to load keys via OpenSSL 
engines.  This allows using various complex key stores, including 
hardware tokens, to access keys, though may not be trivial to 
configure.

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list