Configure Nginx Server

this section shows how to configure the nginx instance to integrate with the {{futurex}} pkcs #11 library set {{futurex}} pkcs #11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables, modifying the file path to match the location where the libfxpkcs11 so and fxpkcs11 cfg files are stored on your system export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; note be sure to modify the file path to match the location where the libfxpkcs11 so and fxpkcs11 cfg files are stored on your system configure tls certificates for nginx perform the following tasks to configure tls certificates for nginx on your {{vectera}} create a key pair on the vectera plus using pkcs11 tool generate a certificate signing request (csr) using the nginx private key create a self signed root certificate authority (ca) sign the nginx server csr combine the signed nginx certificate and the ca certificate create a key pair perform the following steps to create a key pair on the {{vectera}} by using pkcs11 tool in a terminal, run the following command to create a new ecc key pair on the {{vectera}} by using pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "nginx rsa privatekey" id "123456" when prompted for the pin, enter the password of the identity configured in the fxpkcs11 cfg file if successful, the command output lists the keys that pkcs11 tool created on the {{vectera}} generate a csr in a terminal, run the following command to generate a csr from the private key you created in the previous step sudo openssl req new engine pkcs11 keyform engine key "pkcs11\ object=nginx rsa privatekey" out nginx cert req pem the common name of the nginx server certificate should match the domain name or ip address of the virtual host you are configuring it for create a self signed root ca this step creates and uses a self signed root ca in a production environment, use a secure certificate authority (such as the {{k3}} ) for all private key generation and certificate signing operations in a terminal, run the following commands to generate a root private key and self signed certificate sudo openssl genrsa out ssl ca privatekey pem 2048 sudo openssl req new x509 key ssl ca privatekey pem out ssl ca cert pem days 365 sign the nginx server csr in a terminal, run the following command to issue a signed nginx server certificate by using the self signed root ca created in the previous step the common name must be the ip address of the nginx server sudo openssl x509 req in nginx cert req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out signed nginx cert pem extensions v3 leaf combine the certificates in a terminal, run the following commands to combine the signed nginx certificate and the ca certificate into a single pem certificate signed nginx cert pem > combined pem ssl ca pem >> combined pem configure nginx this section covers how to modify the configuration file for an nginx virtual host configuration of a virtual host is outside the scope of this guide refer to this documentation ( www digitalocean com/community/tutorial collections/how to install apache http //www digitalocean com/community/tutorial collections/how to install apache ) specific to your operating system if you do not already have a virtual host configured perform the following steps to configure nginx to use the signed certificate and private key stored on the hsm before making any changes, stop your nginx server with the following commands sudo systemctl stop nginx sudo service nginx stop in a text editor, open the configuration file in your conf d folder in the nginx directory for the virtual host you want to configure https for and modify it as shown in the following code sample modify the location of the signed nginx certificate specified in the ssl certificate define according to its location on your system the object name of the nginx private key specified in the ssl certificate key define must match the label you set in the pkcs11 tool command server { listen 443 ssl; 	 server name www example com; ssl certificate /usr/local/bin/fxpkcs11/combined pem; ssl certificate key "engine\ pkcs11\ pkcs11\ token=futurex;object=nginx rsa privatekey"; 	 ssl protocols tlsv1 tlsv1 1 tlsv1 2 tlsv1 3; root /var/www/html; index index html index htm index nginx debian html; access log /var/log/nginx/access log; error log /var/log/nginx/error log; \#ssl verify client off; location / { \# first attempt to serve request as file, then \# as directory, then fall back to displaying a 404 try files $uri $uri/ =404; 	 } } restart your nginx server by using the following command sudo nginx g 'daemon off;' do not close the window during operation if you get an error message on startup, check that nothing is running on port 443 confirm the configuration if you did not create a client certificate in the previous section for mutual authentication, skip to step 4 in this section you can complete the following steps with a firefox web browser there might be some differences in the actions taken when using a different browser, but the overall intent of the process is the same perform the following steps to confirm that nginx uses the new tls certificate and private key (stored on the hsm) for https connections in firefox, select settings > privacy & security > certificates > view certificates select authorities > import to import the combined certificate ( combined pem ) use the option trust this certificate to identify websites when you browse to the ip address of the nginx website that is running over https, you should see a lock icon next to the web address view the certificate that the website served to the browser and confirm that it is the certificate you configured in nginx