Re: Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-06 Thread erik
Thanks, I got it working in the end though. I realize a Yubikey isn't terribly performant but for my particular use case I don't expect that to be a problem. Cheers, Erik Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286922,286967#msg-286967 _

Re: Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-06 Thread erik
I figured it out and thought I'd post back for anyone else looking at this post in the future. My problem had nothing to do with the PKCS#11 engine. It persisted when I pointed proxy_ssl_certificate_key directly at the non-encrypted, password-less rsa key file. Instead, the problem was SNI. By de

Re: Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-05 Thread erik
According to the documentation (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key), proxy_ssl_certificate_key supports syntax for ssl-engine specific backends: > The value engine:name:id can be specified instead of the file (1.7.9), which loads a secret key with a

Re: Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-05 Thread Konstantin Pavlov
Hi Erik, I've been enable to use an yubikey neo to store a server key and utilize them via pkcs11 engine in nginx some time ago. I didnt check the upstream connection, since I only cared about front-end. And as I only had a yubikey neo instead of a proper HSM, it turned out to be a crypto deccele

Re: Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-04 Thread erik
Specifically, I'd like to know if the proxy_ssl_certificate and proxy_ssl_certificate_key directives can support RFC-7512 PKCS#11 URIs, or whether they're hardwired to be just local file paths. With my private key in hardware, I'm looking for the ability to point nginx to something like: location

Using Yubikey/PKCS11 for Upstream Client Certificates

2020-02-04 Thread erik
Hi there, I'm building a reverse proxy that needs to use TLS client certificates for authentication to its proxy_pass location. The documentation at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ is pretty clear in how to point Nginx to the signed certi