Hi Erik, I've been enable to use an yubikey neo to store a server key and utilize them via pkcs11 engine in nginx some time ago. I didnt check the upstream connection, since I only cared about front-end. And as I only had a yubikey neo instead of a proper HSM, it turned out to be a crypto deccelerator. :-)
I've took some notes on implementing it at http://thre.sh/yub.txt, hope this helps. 04.02.2020 20:14, erik wrote: > Specifically, I'd like to know if the proxy_ssl_certificate and > proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or > whether they're hardwired to be just local file paths. > > With my private key in hardware, I'm looking for the ability to point nginx > to something like: > > location /upstream { > proxy_pass https://backend.example.com; > proxy_ssl_certificate /etc/nginx/client.pem; > proxy_ssl_certificate_key > 'pkcs11:type=private;token=some_token;object=username%40example.org'; > } > > Cheers, > Erik van Zijst > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,286922,286930#msg-286930 > > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > -- Konstantin Pavlov https://www.nginx.com/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
