Configure the NGINX server

9min
Perform the following tasks to configure the NGINX server:
1 | Set Futurex PKCS #11 Environment Variables
1
In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Text
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;

export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;

export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
Be sure to modify the file path to match the location where libfxpkcs11.so and fxpkcs11.cfg files are stored on your system.
2 | Create a key pair on the  using pkcs11-tool
1
In a terminal, run the following command to create a new ECC key pair on the  using pkcs11-tool:
Text
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "nginx_rsa_privatekey" --id "123456"
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "nginx_rsa_privatekey" --id "123456"
﻿
The above pkcs11-tool command prompts for the user PIN. Enter the  identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file. If successful, the command output will list the keys that pkcs11-tool created on the .
3 | Generate a CSR by using the NGINX private key
1
In a terminal, run the following command to generate a CSR from the private key created on the  for NGINX using pkcs11-tool.
Text
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=nginx_rsa_privatekey" -out nginx-cert-req.pem
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=nginx_rsa_privatekey" -out nginx-cert-req.pem
﻿
The Common Name of the NGINX certificate should match the IP address or hostname of the virtual host it is configured for.
4 | Create a self-signed root certificate authority (CA)
Here we are creating and using a self-signed root certificate authority (CA) for demonstration purposes. In a production environment, you should use a secure certificate authority, such as the KMES Series 3, for all private key generation and certificate signing operations.
1
In a terminal, run the following commands to generate a root private key and self-signed certificate. We will use this certificate to sign the NGINX certificate in the next step.
Text
openssl genrsa -out ssl-ca-privatekey.pem 2048

openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
openssl genrsa -out ssl-ca-privatekey.pem 2048

openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
﻿
5 | Sign the NGINX CSR
1
In a terminal, run the following command to issue a signed NGINX certificate using the self-signed root CA created in the previous step.
Text
openssl x509 -req -in nginx-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-nginx-cert.pem -extensions v3_leaf
openssl x509 -req -in nginx-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-nginx-cert.pem -extensions v3_leaf
﻿
The Common Name must be the IP address or hostname of the NGINX server.
6 | Combine the NGINX and CA certificates into a single file
1
In a terminal, run the following commands to combine the NGINX and CA certificates into a single PEM file.
Text
cat signed-nginx-cert.pem > combined.pem

cat ssl-ca.pem >> combined.pem
cat signed-nginx-cert.pem > combined.pem

cat ssl-ca.pem >> combined.pem
﻿
7 | Configure NGINX to use the certificate and its associated private key stored in ﻿
This section covers how to modify the configuration file for an NGINX virtual host. Configuration of a virtual host is outside the scope of this guide. Please reference the following documentation specific to your operating system if you do not already have a virtual host configured.
1
Before making any changes, stop your NGINX server using the following commands:
Text
sudo systemctl stop nginx

sudo service nginx stop
sudo systemctl stop nginx

sudo service nginx stop
﻿
In a text editor, open the configuration file inside the conf.d/ folder in the NGINX directory for the virtual host you want to configure HTTPS for and modify it as shown below:
Text
server {
    listen 443 ssl http2;
    server_name my-website.com www.my-website.com;

    # SSL Certificate and Key Paths
    ssl_certificate /usr/local/bin/fxpkcs11/combined.pem;
    ssl_certificate_key "engine:pkcs11:pkcs11:token=Futurex;object=nginx_rsa_privatekey";

    # SSL Protocols and Ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';

    # Other SSL Settings
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000" always;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Document Root
    root /var/www/html;

    # Index Files
    index index.html index.htm;


    location / {
        try_files $uri $uri/ =404;
    }
}
server {
    listen 443 ssl http2;
    server_name my-website.com www.my-website.com;

    # SSL Certificate and Key Paths
    ssl_certificate /usr/local/bin/fxpkcs11/combined.pem;
    ssl_certificate_key "engine:pkcs11:pkcs11:token=Futurex;object=nginx_rsa_privatekey";

    # SSL Protocols and Ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384';

    # Other SSL Settings
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000" always;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Document Root
    root /var/www/html;

    # Index Files
    index index.html index.htm;


    location / {
        try_files $uri $uri/ =404;
    }
}
﻿
The location of the signed NGINX certificate specified in the ssl_certificate define needs to be modified according to where it is stored on your system. The object name of the NGINX private key specified in the ssl_certificate_key define must match the label you set in the pkcs11-tool command in a previous section.
2
Restart your NGINX server with the following command:
Text
$ sudo nginx -g 'daemon off;'
$ sudo nginx -g 'daemon off;'
﻿
The "daemon off" startup parameter is required for this integration. Do not close the window during operation. If you receive an error message on startup, check to make sure there is not already a service running on port 443.
8 | Confirm NGINX uses the new TLS certificate and private key (stored on the ) for HTTPS connections
You can complete the following steps with the Firefox web browser. There might be some differences in the actions when using a different browser, but the overall intent of the process is the same.
1
In Firefox, select Settings > Privacy & Security > Certificates > View Certificates.
2
Select Authorities > Import and import the combined certificate (i.e., combined.pem). Use the option Trust this certificate to identity websites.
3
Browse to the IP address of the NGINX website that is running over HTTPS. You should see a lock icon to the left of the web address.
4
View the certificate that the website served to the browser and confirm it is the certificate configured for the NGINX server.
﻿
﻿
﻿
﻿
﻿
Test OpenSSL Engine
OpenSSL Engine
Configure the NGINX server

1 | Set Futurex PKCS #11 Environment Variables

2 | Create a key pair on the using pkcs11-tool

3 | Generate a CSR by using the NGINX private key

4 | Create a self-signed root certificate authority (CA)

5 | Sign the NGINX CSR

6 | Combine the NGINX and CA certificates into a single file

7 | Configure NGINX to use the certificate and its associated private key stored in ﻿

8 | Confirm NGINX uses the new TLS certificate and private key (stored on the ) for HTTPS connections

7 | Configure NGINX to use the certificate and its associated private key stored in
