Nginx¶
You can configure nginx to use NetHSM via the OpenSSL engine which then uses NetHSM’s PKCS#11 module.
The certificate file has to be on the disk but the private key can be used from the NetHSM.
A full example is available below.
OpenSSL Configuration¶
Set up the OpenSSL engine by following the OpenSSL Engine setup guide.
Providers aren’t supported yet by Nginx.
Note
Using the libp11 OpenSSL engine version 0.4.12 or older and a NetHSM with a lot of key will make the initial loading of Nginx slow (more than a minute for 1 thousand keys). It is recommended to use version 0.4.13 or newer or to build the engine from source.
Nginx Configuration¶
ssl_engine pkcs11;
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /certs/certificate.pem;
ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10s;
ssl_session_tickets off;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
The ssl_certificate
must point to a certificate file on the disk.
The ssl_certificate_key
can be an OpenSSL configuration. Here we use the OpenSSL engine with the PKCS#11 module and select the private key with the label/ID webserver
and the key type private
.
ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private";
Note
You must generate the certificate separately and then upload it to the NetHSM. If the certificate on disk and the key in the NetHSM don’t match nginx won’t start.
libnethsm_pkcs11 Configuration¶
slots:
- label: LocalHSM
description: Local HSM (docker)
url: "https://192.168.3.161:8443/api/v1"
operator:
username: "operator"
password: "opPassphrase"
To secure the password you can provide it via an environment variable) or provide it in the nginx configuration:
ssl_certificate_key "engine:pkcs11:pkcs11:object=webserver;type=private;pin=opPassphrase";
Example¶
If you want to experiment with the given example use git to clone the nethsm-pkcs11 repository and run the following commands:
Warning
Running the generate script deletes the webserver
key and replaces it.
Configure a NetHSM, either a real one or a container. See the getting-started guide for more information. Besides an administrator, you are going to need an operator account.
Download and install the latest version of the nethsm-pkcs11 driver available from here.
Install the OpenSSL PKCS11 engine as described in the OpenSSL Manual. You do not need to create a configuration file.
Adjust the variables
HOST
,ADMIN_ACCOUNT
andADMIN_ACCOUNT_PWD
incontainer/nginx/generate.sh
such thatHOST
contains your NetHSMs URL and port,ADMIN_ACCOUNT
contains an administrator accounts username andADMIN_ACCOUNT_PWD
the corresponding password. Further configure the absolute path of the OpenSSL PKCS11 engine inOPENSSL_PKCS11_ENGINE_PATH
and the absolute path of the NetHSM PKCS11 library inNETHSM_PKCS11_LIBRARY_PATH
.Create a NetHSM PKCS11 configuration file in one of the known locations, e.g.,
/etc/nitrokey/p11nethsm.conf
. It must have configured an operator account and use the same NetHSM instance specified in the generate script before.Update the PKCS11 configuration in
container/nginx/p11nethsm.conf
with your NetHSMs URL and valid operator credentials.Generate the certificate and key.
./container/nginx/generate.sh
Build the container.
docker build -f container/nginx/Dockerfile . -t pkcs-nginx
Run the container.
docker run -p 9443:443 -p 9080:80 pkcs-nginx
The NGINX test page will be available at https://localhost:9443/. Note that your browser, hopefully, will warn you that the websites certificate is self-signed.