Using Yubikey/PKCS11 for Upstream Client Certificates

Konstantin Pavlov thresh at
Wed Feb 5 10:38:17 UTC 2020

Hi Erik,

I've been enable to use an yubikey neo to store a server key and utilize
them via pkcs11 engine in nginx some time ago.  I didnt check the
upstream connection, since I only cared about front-end.
And as I only had a yubikey neo instead of a proper HSM, it turned out
to be a crypto deccelerator. :-)

I've took some notes on implementing it at, hope
this helps.

04.02.2020 20:14, erik wrote:
> Specifically, I'd like to know if the proxy_ssl_certificate and
> proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or
> whether they're hardwired to be just local file paths.
> With my private key in hardware, I'm looking for the ability to point nginx
> to something like:
> location /upstream {
>     proxy_pass      ;
>     proxy_ssl_certificate     /etc/nginx/client.pem;
>     proxy_ssl_certificate_key
> 'pkcs11:type=private;token=some_token;';
> }
> Cheers,
> Erik van Zijst
> Posted at Nginx Forum:,286922,286930#msg-286930
> _______________________________________________
> nginx mailing list
> nginx at

Konstantin Pavlov

More information about the nginx mailing list