Configure the NGINX server

perform the following tasks to configure the nginx server set {{futurex}} pkcs #11 environment variables create a key pair on the {{ch}} by using pkcs11 tool generate a csr by using the nginx private key create a self signed root certificate authority sign the nginx csr combine the nginx and ca certificates into a single file configure nginx to use the certificate and its associated private key stored in {{ch}} confirm nginx uses the new tls certificate and private key (stored on the {{ch}} ) for https connections set environment variables perform the following to set {{futurex}} pkcs #11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; be sure to modify the file path to match the location where libfxpkcs11 so and fxpkcs11 cfg files are stored on your system create a key pair perform the following steps to create a key pair on the {{ch}} by using pkcs11 tool in a terminal, run the following command to create a new ecc key pair on the {{ch}} pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "nginx rsa privatekey" id "123456" the preceding pkcs11 tool command prompts for the user pin enter the {{ch}} identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file if successful, the command output displays the keys that pkcs11 tool created on the {{ch}} generate a csr perform the following steps to generate a csr by using the nginx private key in a terminal, run the following command to generate a csr from the private key created on the {{ch}} for nginx by using pkcs11 tool openssl req new provider pkcs11 provider path $fxpkcs11 module key "pkcs11\ token=futurex;object=nginx rsa privatekey;type=private" out nginx cert req pem the common name of the nginx certificate should match the ip address or hostname of the virtual host it is configured for create a ca this step creates and uses a self signed root certificate authority (ca) for demonstration in a production environment, you should use a secure certificate authority, such as the {{k3}} , for all private key generation and certificate signing operations perform the following steps to create a self signed root certificate authority (ca) in a terminal, run the following commands to generate a root private key and self signed certificate openssl genrsa out ssl ca privatekey pem 2048 openssl req new x509 key ssl ca privatekey pem out ssl ca cert pem days 365 sign the csr perform the following steps to sign the nginx csr in a terminal, run the following command to issue a signed nginx certificate by using the self signed root ca created in the previous step openssl x509 req in nginx cert req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out signed nginx cert pem extensions v3 leaf the common name must be the ip address or hostname of the nginx server combine the certificates to combine the nginx and ca certificates into a single file, run the following commands in a terminal to combine the nginx and ca certificates into a single pem file cat signed nginx cert pem > combined pem cat ssl ca cert pem >> combined pem configure nginx this section covers how to modify the configuration file for an nginx virtual host configuration of a virtual host is outside the scope of this guide refer to this documentation https //www digitalocean com/community/tutorial collections/how to install apache specific to your operating system if you have not configured a virtual host perform the following steps to configure nginx to use the certificate and its associated private key stored in {{ch}} before making any changes, stop your nginx server by using the following commands sudo systemctl stop nginx sudo service nginx stop the latest version of nginx (as of september 2025) doesn't support using uri to attain keys using openssl provider architecture in the conf file luckily, pkcs11 provider by latchset has a workaround by using a pem file with uri information enclosed to attain the private key that is stored on {{ch}} visit the following site and download the python file uri2pem py important futurex will provide support for all other aspects of the integration; however, this script is not maintained by futurex, and we cannot guarantee its functionality or offer troubleshooting support related to it uri2pem py webiste https //github com/latchset/pkcs11 provider/blob/1362378ad3d5f40013bae7562cf7e5d79149925e/tools/uri2pem py set up a python virtual environment and download the necessary libraries for this script to work sudo apt install y python3 venv sudo mkdir p /projects/uri2pem cd /projects/uri2pem python3 m venv venv source venv/bin/activate afterwards, use the following commands to make sure they both point to /projects/uri2pem/ venv/ which python which pip run the following commands to install the needed python library, and the script with the uri pip install asn1crypto python uri2pem py "pkcs11\ token=futurex;object=nginx rsa privatekey;type=private" > cert key pem in a text editor, open the configuration file inside the conf d/ folder in the nginx directory for the virtual host you want to configure https for, and modify it as shown in the following example server { listen 443 ssl http2; server name my website com www my website com; \# ssl certificate and key paths ssl certificate /path/to/combined pem; ssl certificate key /path/to/cert key pem \# ssl protocols and ciphers ssl protocols tlsv1 2 tlsv1 3; ssl ciphers 'tls aes 128 gcm sha256\ tls aes 256 gcm sha384\ ecdhe rsa aes128 gcm sha256\ ecdhe rsa aes256 gcm sha384'; \# other ssl settings ssl prefer server ciphers off; ssl session cache shared\ ssl 50m; ssl session timeout 1d; ssl session tickets off; \# security headers add header strict transport security "max age=31536000" always; \# logging access log /var/log/nginx/access log; error log /var/log/nginx/error log; \# document root root /var/www/html; \# index files index index html index htm; location / { try files $uri $uri/ =404; } } you must update the paths in ssl certificate and ssl certificate key to point to the signed nginx certificate and the nginx private key pem file, which was generated earlier with python, as stored on your system check if the nginx configuration files for syntax errors and validity with the following command sudo nginx t if there are no issues, the output should look something similar to nginx the configuration file /etc/nginx/nginx conf syntax is ok nginx configuration file /etc/nginx/nginx conf test is successful restart your nginx server with the following command sudo systemctl restart nginx sudo service nginx restart confirm nginx configuration you can complete the following steps with the firefox web browser there might be some differences in the actions when using a different browser, but the overall process is the same perform the following steps to confirm nginx uses the new tls certificate and private key (stored on the {{ch}} ) for https connections browse to the ip address of the nginx website that is running over https you should see a lock icon to the left of the web address view the certificate that the website served to the browser and confirm it is the certificate configured for the nginx server