Thanks, I got it working in the end though. I realize a Yubikey isn't
terribly performant but for my particular use case I don't expect that to be
a problem.
Cheers,
Erik
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,286922,286967#msg-286967
_
I figured it out and thought I'd post back for anyone else looking at this
post in the future.
My problem had nothing to do with the PKCS#11 engine. It persisted when I
pointed proxy_ssl_certificate_key directly at the non-encrypted,
password-less rsa key file.
Instead, the problem was SNI. By de
According to the documentation
(http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key),
proxy_ssl_certificate_key supports syntax for ssl-engine specific backends:
> The value engine:name:id can be specified instead of the file (1.7.9),
which loads a secret key with a
Hi Erik,
I've been enable to use an yubikey neo to store a server key and utilize
them via pkcs11 engine in nginx some time ago. I didnt check the
upstream connection, since I only cared about front-end.
And as I only had a yubikey neo instead of a proper HSM, it turned out
to be a crypto deccele
Specifically, I'd like to know if the proxy_ssl_certificate and
proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or
whether they're hardwired to be just local file paths.
With my private key in hardware, I'm looking for the ability to point nginx
to something like:
location
Hi there,
I'm building a reverse proxy that needs to use TLS client certificates for
authentication to its proxy_pass location.
The documentation at
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
is pretty clear in how to point Nginx to the signed certi