Data protection
Nginx
Configure the Nginx Server
10min
this section covers the following nginx server configuration tasks set futurex pkcs #11 environment variables configure nginx certificates configure nginx to use the signed certificate and private key stored on the kmes the following sections provide detailed instructions set environment variables perform the following steps to set {{futurex}} pkcs #11 environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables, modifying the file path to match the location where the libfxpkcs11 so and fxpkcs11 cfg files are located on your system export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; configure nginx certificates perform the following tasks to configure nginx certificates create a key pair on the {{k}} generate a csr create a self signed root ca sign the nginx server csr create a client certificate create a key pair perform the following steps to create a key pair on the {{k}} by using pkcs11 tool in a terminal, run the following command to create a new rsa key pair on the {{k}} by using pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "nginx rsa privatekey" id "123456" when this pkcs11 tool command prompts for the pin, enter the password of the identity configured in fxpkcs11 cfg if successful, the command output lists the keys that pkcs11 tool created on the kmes generate a csr perform the following steps to generate a csr by using the nginx private key in a terminal, run the following command to generate a csr from the private key that pkcs11 tool created on the {{k}} for nginx in the preceding step ensure that the common name of the nginx server certificate matches the domain name or ip address of the virtual host for which you are configuring it sudo openssl req new engine pkcs11 keyform engine key "pkcs11\ object=nginx rsa privatekey" out nginx cert req pem create a self signed root ca the following instructions show you how to create and use a self signed root certificate authority (ca) as a demonstration in a production environment, use a secure certificate authority (such as the {{k3}} ) for all private key generation and certificate signing operations in a terminal, run the following commands to generate a root private key and self signed certificate sudo openssl genrsa out ssl ca privatekey pem 2048 sudo openssl req new x509 key ssl ca privatekey pem out ssl ca cert pem days 365 sign the csr perform the following steps to sign the nginx server csr in a terminal, run the following command to issue a signed nginx server certificate by using the self signed root ca created in the preceding section sudo openssl x509 req in nginx cert req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out signed nginx cert pem extensions v3 leaf create a client certificate perform the following steps to create a client certificate for the browser that connects to nginx in a terminal, generate a client key pair by using the following command sudo openssl genrsa out ssl client privatekey pem 2048 run the following command to create a client certificate signing request sudo openssl req new key ssl client privatekey pem out ssl client req pem days 365 run the following command to sign the csr with the ca certificate you created sudo openssl x509 req in ssl client req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out ssl client cert pem extensions v3 leaf run the following command to convert the signed client certificate to pkcs #12 format for insertion into the browser sudo openssl pkcs12 inkey ssl client privatekey pem in ssl client cert pem cafile ssl ca cert pem export out ssl client pkcs12 p12 if you encounter ssl errors when connecting to your nginx server in the web browser after completing this guide, ensure that you added the v3 leaf extensions properly nginx requires the sans (added in as ip 1 under the v3 leaf extension in your openssl cnf file) in both the signed nginx certificate and the browser client certificate configure nginx this section covers modifying the configuration file for an nginx virtual host to use the signed certificate and private key stored on the {{k}} refer to the documentation specific to your operating system if you have not already configured a virtual host because configuring a virtual host is outside the scope of this guide before making any changes, stop your nginx server with the following commands sudo systemctl stop nginx sudo service nginx stop in a text editor, open the configuration file in your conf d folder in the nginx directory for the virtual host you want to configure https for and modify it as shown in the following example modify the location of the signed nginx certificate specified in the ssl certificate define according to where it is stored on your system the object name of the nginx private key specified in the ssl certificate key define must match the label you set in the pkcs11 tool command server { listen 443 ssl; 	server name www example com; ssl certificate /usr/local/bin/fxpkcs11/signed nginx cert pem; ssl certificate key "engine\ pkcs11\ pkcs11\ token=futurex;object=nginx rsa privatekey"; 	ssl protocols tlsv1 tlsv1 1 tlsv1 2 tlsv1 3; root /var/www/html; index index html index htm index nginx debian html; access log /var/log/nginx/access log; error log /var/log/nginx/error log; \#ssl verify client off; location / { \# first attempt to serve request as file, then \# as directory, then fall back to displaying a 404 try files $uri $uri/ =404; 	 } } restart your nginx server by using the following command sudo nginx g 'daemon off;' this integration needs the daemon off startup parameter do not close the window during operation if you get an error message on startup, check to ensure a service is not already running on port 443 confirm the nginx configuration this section uses a firefox web browser using a different browser might require altered actions, but the fundamental steps are the same perform the following steps to confirm that nginx uses the new tls certificate and private key stored on the {{k}} for https connections in firefox, select settings > privacy & security > certificates > view certificates select your certificates > import to import the pkcs #12 client certificate ( ssl client pkcs12 p12 ) select authorities > import to import the ca certificate ( ssl ca cert pem ) browse to the ip address of the nginx website that runs over https if you configured a client certificate in the browser for mutual authentication, you should see a lock icon next to the web address view the certificate that the website served to the browser and confirm that it is the certificate configured in nginx