Hi, You might want to consider something like OpenResty, which allows for serving certificates on the fly with Lua logic. You can use this to fetch cert/key material via Vault or some other secure data store that can be accessed via TCP (or you could also keep the encrypted private key on-disk and fetch the secret at worker initialization via some Lua logic). See https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md for an example of the former.
> On Nov 14, 2018, at 12:17, Roger Fischer <[email protected]> wrote: > > Hello, > > does NGINX support any mechanisms to securely access the private key of > server certificates? > > Specifically, could NGINX make a request to a key store, rather than reading > from a local file? > > Are there any best practices for keeping private keys secure? > > I understand the basics. The key file should only be readable by root. I > cannot protect the key with a pass-phrase, as NGINX needs to start and > restart autonomously. > > Thanks… > > Roger > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
