On-demand SSL Cert key loading
Amarnath B S
amarbs at gmail.com
Thu Mar 18 10:00:44 UTC 2021
All,
We have a requirement where the certificate keys need to be loaded only in
Nginx memory. That is, saving it in the local FS is not an option. Also, we
need the cert key to be present in Nginx memory only when there are active
lookups to it (requests to the virtual server using the cert). When there
are no requests, the cert key should be flushed from the memory and
reloaded from a KMS (key mgmt server) on-demand through client
authentication (Nginx authenticating to the KMS as a client). Pls provide
pointers if you have insight into such or a similar requirement.
I referred to best practices in this Nginx blog
<https://www.nginx.com/blog/protecting-ssl-private-keys-nginx-hashicorp-vault/#update-web-server-config-nginx>.
However, not all of our requirements are met. There are a few questions:
a) Does the ngx_http_ssl_module
<http://nginx.org/en/docs/http/ngx_http_ssl_module.html> load the
certificate on demand or during config parse? Once loaded, does it always
stay in memory, whether used or not?
b) Is it possible to load the certificate key through a sub-request
on-demand (that is when SSL hand-shake is initiated)?
Thanks in advance,
-Amar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20210318/32f8b15e/attachment.htm>
More information about the nginx
mailing list