Configure the Nginx Server

10min
This section covers the following Nginx Server configuration tasks:
Set Futurex PKCS #11 environment variables
Configure Nginx certificates.
Configure Nginx to use the signed certificate and private key stored on the KMES.
The following sections provide detailed instructions.
Set Futurex PKCS #11 environment variables
1
In a terminal, run the following commands to set the required FXPKCS11 environment variables, modifying the file path to match the location where the libfxpkcs11.so and fxpkcs11.cfg files are located on your system:
Shell
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
Configure Nginx certificates
Perform the following tasks to configure Nginx certificates:
Create a key pair on the KMES.
Generate a CSR.
Create a self-signed root CA.
Sign the Nginx Server CSR.
Create a client certificate.
Create a key pair on the KMES by using PKCS11-Tool
1
In a terminal, run the following command to create a new RSA key pair on the KMES by using pkcs11-tool:
Shell
sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 -- label "Nginx_rsa_privatekey" --id "123456"
sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 -- label "Nginx_rsa_privatekey" --id "123456"
﻿
2
When this pkcs11-tool command prompts for the PIN, enter the password of the identity configured in fxpkcs11.cfg.
 If successful, the command output lists the keys that pkcs11-tool created on the KMES.
Generate a CSR by using the Nginx private key
1
In a terminal, run the following command to generate a CSR from the private key that pkcs11-tool created on the KMES for Nginx in the preceding step. Ensure that the common name of the Nginx Server certificate matches the domain name or IP address of the virtual host for which you are configuring it.
Shell
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=Nginx_rsa_privatekey" -out Nginx-cert-req.pem
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=Nginx_rsa_privatekey" -out Nginx-cert-req.pem
﻿
Create a self-signed root CA
The following instructions show you how to create and use a self-signed root certificate authority (CA) as a demonstration. In a production environment, use a secure certificate authority (such as the KMES Series 3) for all private key generation and certificate signing operations.
1
In a terminal, run the following commands to generate a root private key and self-signed certificate.
Shell
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048
sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048
sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
﻿
Sign the Nginx Server CSR
1
In a terminal, run the following command to issue a signed Nginx Server certificate by using the self-signed root CA created in the preceding section:
Shell
sudo openssl x509 -req -in Nginx-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-Nginx-cert.pem -extensions v3_leaf
sudo openssl x509 -req -in Nginx-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-Nginx-cert.pem -extensions v3_leaf
﻿
Create a client certificate for the browser that connects to Nginx
1
In a terminal, generate a client key pair by using the following command:
Shell
sudo openssl genrsa -out ssl-client-privatekey.pem 2048
sudo openssl genrsa -out ssl-client-privatekey.pem 2048
﻿
2
Run the following command to create a client certificate signing request:
Shell
sudo openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
sudo openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
﻿
3
Run the following command to sign the CSR with the CA certificate you created:
Shell
sudo openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem -extensions v3_leaf
sudo openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem -extensions v3_leaf
﻿
4
Run the following command to convert the signed client certificate to PKCS #12 format for insertion into the browser:
Shell
sudo openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
sudo openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
﻿
If you encounter SSL errors when connecting to your Nginx server in the web browser after the completion of this guide, ensure that you added the v3_leaf extensions properly. Nginx requires the SANS (added in as IP.1 under the v3_leaf extension in your openssl.cnf file) in both the signed Nginx certificate and the browser client certificate.
Configure Nginx to use the signed certificate and private key stored on the KMES
This section covers how to modify the configuration file for an Nginx virtual host. Configuration of a virtual host is outside the scope of this guide. Refer to the documentation specific to your operating system if you have not already configured a virtual host.
1
Before making any changes, stop your Nginx server with the following commands:
Shell
sudo systemctl stop Nginx
sudo service Nginx stop
sudo systemctl stop Nginx
sudo service Nginx stop
﻿
2
In a text editor, open the configuration file in your conf.d folder in the Nginx directory for the virtual host you want to configure HTTPS for and modify it as shown in the following example:
Modify the location of the signed Nginx certificate specified in the ssl_certificate define according to where it is stored on your system.
The object name of the Nginx private key specified in the ssl_certificate_key define must match the label you set in the pkcs11-tool command.
Text
server {
        listen 443 ssl;
	server_name www.example.com;
        ssl_certificate /usr/local/bin/fxpkcs11/signed-Nginx-cert.pem;
        ssl_certificate_key "engine:pkcs11:pkcs11:token=Futurex;object=Nginx_rsa_privatekey";
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        root /var/www/html;
        index index.html index.htm index.Nginx-debian.html;
        access_log /var/log/Nginx/access.log;
        error_log /var/log/Nginx/error.log;
        #ssl_verify_client off;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
	 }
}
server {
        listen 443 ssl;
	server_name www.example.com;
        ssl_certificate /usr/local/bin/fxpkcs11/signed-Nginx-cert.pem;
        ssl_certificate_key "engine:pkcs11:pkcs11:token=Futurex;object=Nginx_rsa_privatekey";
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        root /var/www/html;
        index index.html index.htm index.Nginx-debian.html;
        access_log /var/log/Nginx/access.log;
        error_log /var/log/Nginx/error.log;
        #ssl_verify_client off;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
	 }
}
﻿
3
Restart your Nginx server by using the following command:
Shell
sudo Nginx -g 'daemon off;'
sudo Nginx -g 'daemon off;'
﻿
This integration needs the daemon off startup parameter. Do not close the window during operation. If you get an error message on startup, check to ensure a service is not already running on port 443.
Confirm that Nginx uses the new TLS certificate and private key stored on the KMES for HTTPS connections
The following steps use a Firefox web browser. Using a different browser might require altered actions, but the fundamental steps are the same.
1
In Firefox, select Settings > Privacy & Security > Certificates > View Certificates.
2
Select Your Certificates > Import to import the PKCS #12 client certificate (ssl-client-pkcs12.p12).
3
Select Authorities > Import to import the CA certificate (ssl-ca-cert.pem).
4
Browse to the IP address of Nginx website that runs over HTTPS. If you configured a client certificate in the browser for mutual authentication, you should see a lock icon next to the web address.
5
View the certificate that the website served to the browser and confirm that it is the certificate configured in Nginx.
﻿
﻿
﻿
﻿
﻿
Install and configure the OpenSSL engine
Data storage