Nginx Server configuration
This section details the steps to configure the Nginx instance to integrate with the Futurex PKCS #11 library.
In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Be sure to modify the file path to match the location where the libfxpkcs11.so and fxpkcs11.cfg files are stored on your system.
In a terminal, run the following command to create a new ECC key pair on the Vectera Plus using pkcs11-tool:
The above pkcs11-tool command prompts for the user PIN. Enter the password of the identity configured in the fxpkcs11.cfg file. If successful, the command output will list the keys that pkcs11-tool created on the Vectera Plus.
In a terminal, run the following command to generate a CSR from the private key that pkcs11-tool created on the Vectera Plus for Nginx in the previous step:
The common name of the Nginx Server certificate should match the domain name or IP of the virtual host that you are configuring it for.
Here we are creating and using a self-signed root certificate authority (CA) for demonstration purposes. In a production environment, use a secure certificate authority (such as the KMES Series 3) should be used for all private key generation and certificate signing operations.
In a terminal, run the following commands to generate a root private key and self-signed certificate. We will use this certificate to sign the Nginx Server certificate in the next section.
In a terminal, run the following command to issue a signed Nginx Server certificate using the self-signed root CA created in the previous step:
The common name must be the ip address of the Nginx server.
In a terminal, run the following commands to combine the signed Nginx certificate and the CA certificate into a single .pem certificate.
This section covers how to modify the configuration file for an NGINX virtual host. Configuration of a virtual host is outside the scope of this guide. Please reference the following documentation specific to your operating system if you do not already have a virtual host configured.
Before making any changes, stop your Nginx server with the following commands:
In a text editor, open the configuration file in your conf.d folder in the Nginx directory for the virtual host you want to configure HTTPS for and modify it as shown below:
The location of the signed Nginx certificate specified in the ssl_certificate define needs to be modified according to where it is stored on your system. The object name of the Nginx private key specified in the ssl_certificate_key define must match the label you set in the pkcs11-tool command
Restart your Nginx server by using the following command:
The daemon off startup parameter is required for this integration. Do not close the window during operation. If you get an error message on startup, check to make sure there is not already a service running on port 443.
Confirm that Nginx uses the new TLS certificate and private key (stored on the HSM) for HTTPS connections
If you did not create a client certificate in the previous section for mutual authentication, skip to step 4 below. You can complete following steps with a Firefox web browser. There may be some differences in the actions taken when using a different browser, but the overall intent of the process will be the same.
In Firefox, select Settings > Privacy & Security > Certificates > View Certificates.
Select Authorities > Import to import the combined certificate (combined.pem). Use the option Trust this certificate to identify websites.
Browse to the IP address of Nginx website that is running over HTTPS, you should see a lock icon next to the web address.
View the certificate that the website served to the browser and confirm that it is the certificate you configured in Nginx.