Configure Nginx Server

10min
This section shows how to configure the Nginx instance to integrate with the  PKCS #11 library.
Set Futurex PKCS #11 environment variables
1
In a terminal, run the following commands to set the required FXPKCS11 environment variables, modifying the file path to match the location where the libfxpkcs11.so and fxpkcs11.cfg files are stored on your system:
Shell
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;

export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;

export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
Configure TLS certificates for Nginx
Perform the following tasks to configure TLS certificates for Nginx on your : 
1 | Create a key pair on the Vectera Plus using pkcs11-tool
1
In a terminal, run the following command to create a new ECC key pair on the  by using pkcs11-tool:
Shell
sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 -- label "nginx_rsa_privatekey" --id "123456"
sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 -- label "nginx_rsa_privatekey" --id "123456"
﻿
2
When prompted for the PIN,  enter the password of the identity configured in the fxpkcs11.cfg file.
If successful, the command output will list the keys that pkcs11-tool created on the Vectera Plus.
2 | Generate a Certificate Signing Request (CSR) using the Nginx private key
1
In a terminal, run the following command to generate a CSR from the private key you just created the previous step:
Shell
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=nginx_rsa_privatekey" -out nginx-cert-req.pem
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=nginx_rsa_privatekey" -out nginx-cert-req.pem
﻿
The common name of the Nginx Server certificate should match the domain name or IP of the virtual host you are configuring it for.
3 | Create a self-signed Root Certificate Authority (CA)
This step creates and uses a self-signed root certificate authority (CA). In a production environment, use a secure certificate authority (such as the ) for all private key generation and certificate signing operations.
1
In a terminal, run the following commands to generate a root private key and self-signed certificate. 
Shell
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048

sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048

sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
﻿
4 | Sign the Nginx server CSR
1
In a terminal, run the following command to issue a signed Nginx Server certificate by using the self-signed root CA created in the previous step:
The common name must be the IP address of the Nginx server.
Shell
sudo openssl x509 -req -in nginx-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-nginx-cert.pem -extensions v3_leaf 
sudo openssl x509 -req -in nginx-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-nginx-cert.pem -extensions v3_leaf 
﻿
5 | Combine the signed Nginx certificate and the CA certificate
1
In a terminal, run the following commands to combine the signed Nginx certificate and the CA certificate into a single .pem certificate.
Shell
signed-nginx-cert.pem > Combined.pem

ssl-ca.pem >> combined.pem
signed-nginx-cert.pem > Combined.pem

ssl-ca.pem >> combined.pem
﻿
Configure Nginx to use the signed certificate and private key stored on the HSM
This section covers how to modify the configuration file for an NGINX virtual host. Configuration of a virtual host is outside the scope of this guide. Refer to this documentation specific to your operating system if you do not already have a virtual host configured.
1
Before making any changes, stop your Nginx server with the following commands:
Shell
sudo systemctl stop nginx
sudo service nginx stop
sudo systemctl stop nginx
sudo service nginx stop
﻿
2
In a text editor, open the configuration file in your conf.d folder in the Nginx directory for the virtual host you want to configure HTTPS for and modify it as shown in the following code sample:
Modify the location of the signed Nginx certificate specified in the ssl_certificate define according to its location on your system. The object name of the Nginx private key specified in the ssl_certificate_key define must match the label you set in the pkcs11-tool command.
Text
server {
        listen 443 ssl;
	    server_name www.example.com;
        ssl_certificate /usr/local/bin/fxpkcs11/combined.pem;
        ssl_certificate_key "engine:pkcs11:pkcs11:token=Futurex;object=nginx_rsa_privatekey";
	    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        #ssl_verify_client off;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
	     }
}
server {
        listen 443 ssl;
	    server_name www.example.com;
        ssl_certificate /usr/local/bin/fxpkcs11/combined.pem;
        ssl_certificate_key "engine:pkcs11:pkcs11:token=Futurex;object=nginx_rsa_privatekey";
	    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        #ssl_verify_client off;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
	     }
}
﻿
3
Restart your Nginx server by using the following command:
Shell
sudo nginx -g 'daemon off;'
sudo nginx -g 'daemon off;'
﻿
Do not close the window during operation. If you get an error message on startup, check that nothing is running on port 443.
Confirm that Nginx uses the new TLS certificate and private key (stored on the HSM) for HTTPS connections
If you did not create a client certificate in the previous section for mutual authentication, skip to step 4 in this section. You can complete the following steps with a Firefox web browser. There might be some differences in the actions taken when using a different browser, but the overall intent of the process is the same.
1
In Firefox, select Settings > Privacy & Security > Certificates > View Certificates.
2
Select Authorities > Import to import the combined certificate (combined.pem). Use the option Trust this certificate to identify websites.
3
When you browse to the IP address of Nginx website that is running over HTTPS, you should see a lock icon next to the web address.
4
View the certificate the website served to the browser and confirm that it is the certificate you configured in Nginx.
﻿
Updated 24 Aug 2024
Did this page help you?
Install and configure OpenSSL engine
OpenSSL Engine