Hello! On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:
> Hello, > > does NGINX support any mechanisms to securely access the private > key of server certificates? > > Specifically, could NGINX make a request to a key store, rather > than reading from a local file? > > Are there any best practices for keeping private keys secure? > > I understand the basics. The key file should only be readable by > root. I cannot protect the key with a pass-phrase, as NGINX > needs to start and restart autonomously. You actually can protect the key using a passphrase, see http://nginx.org/r/ssl_password_file. Though this might not be the best idea due to basically the same security provided, while involving higher complexity. Also, you can use "engine:..." syntax to load keys via OpenSSL engines. This allows using various complex key stores, including hardware tokens, to access keys, though may not be trivial to configure. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx