Using Yubikey/PKCS11 for Upstream Client Certificates
Konstantin Pavlov
thresh at nginx.com
Wed Feb 5 10:38:17 UTC 2020
Hi Erik,
I've been enable to use an yubikey neo to store a server key and utilize
them via pkcs11 engine in nginx some time ago. I didnt check the
upstream connection, since I only cared about front-end.
And as I only had a yubikey neo instead of a proper HSM, it turned out
to be a crypto deccelerator. :-)
I've took some notes on implementing it at http://thre.sh/yub.txt, hope
this helps.
04.02.2020 20:14, erik wrote:
> Specifically, I'd like to know if the proxy_ssl_certificate and
> proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or
> whether they're hardwired to be just local file paths.
>
> With my private key in hardware, I'm looking for the ability to point nginx
> to something like:
>
> location /upstream {
> proxy_pass https://backend.example.com;
> proxy_ssl_certificate /etc/nginx/client.pem;
> proxy_ssl_certificate_key
> 'pkcs11:type=private;token=some_token;object=username%40example.org';
> }
>
> Cheers,
> Erik van Zijst
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286922,286930#msg-286930
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
--
Konstantin Pavlov
https://www.nginx.com/
More information about the nginx
mailing list