---
title: "Fortanix DSM for NGINX TLS Keys"
slug: "using-fortanix-data-security-manager-for-nginx-tls-keys"
updated: 2026-04-01T08:39:27Z
published: 2026-03-20T07:39:40Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.fortanix.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Fortanix DSM for NGINX TLS Keys

## 1.0 Introduction

NGINX is a popular open-source HTTP server and reverse proxy. **Fortanix-Data-Security-Manager (DSM)** can be used to protect the TLS private key for your NGINX server, keeping the private key secure even if the host running NGINX is compromised.

This article describes how to set up your NGINX server to use a TLS private key stored in Fortanix DSM. To get started quickly, you can use a [Fortanix-provided docker image](https://hub.docker.com/r/fortanix/sdkms-nginx/). Retrieve the image by running `docker pull fortanix/sdkms-nginx`.

## 2.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

### 2.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, [https://amer.smartkey.io.](https://amer.smartkey.io.) On-premises customers use the KMS URL, and the SaaS customers can use the URLs as listed [*here*](https://support.fortanix.com/hc/en-us/articles/4406135346068-Fortanix-DSM-SaaS-Global-Availability-Map) based on the application region.

*For more information on how to set up the Fortanix DSM, refer to the*[*User's Guide: Sign Up for Fortanix Data Security Manager SaaS*](https://support.fortanix.com/docs/users-guide-sign-up-for-fortanix-data-security-manager-saas)*.*

### 2.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/DSM_SaaS_Login_page(15).png)

**Figure 1: Logging in**

*For more information on how to set up an account in Fortanix DSM, refer to the*[*User's Guide: Getting Started with Fortanix Data Security Manager - UI*](https://support.fortanix.com/docs/users-guide-getting-started-with-fortanix-data-security-manager-ui)*.*

### 2.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Groups**menu item, and then click **ADD GROUP** to create a new group.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-Group(28).png)

**Figure 2: Add groups**
2. On the**Adding new group**page:
  1. **Title**: Enter a name for your group.
  2. **Description**(optional): Enter a short description of the group.
3. Click **SAVE**to create the new group.

The new group is added to the Fortanix DSM successfully.

### 2.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click **ADD APP** to create a new app.

![](https://cdn.us.document360.io/c3bd85d2-4ad8-4d85-9f60-f1c168a3aad9/Images/Documentation/Add-App(26).png)

**Figure 3: Add application**
2. On the **Adding new app**page:
  1. **App name**: Enter the name for your application.
  2. **ADD DESCRIPTION**(optional): Enter a short description of the application.
  3. **Authentication method**: Select the default **API Key**as the authentication method from the drop down menu. *For more information on these authentication methods, refer to the*[*User's Guide: Authentication*](https://support.fortanix.com/docs/users-guide-authentication)*.*
  4. **Assigning the new app to groups**: Select the group created in [*Section 2.3: Creating a Group*](/v1/docs/using-fortanix-data-security-manager-for-nginx-tls-keys#23-creating-a-group)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#43-creating-a-group)from the list.
3. Click **SAVE**to add the new application.

The new application is added to the Fortanix DSM successfully.

### 2.5 Copying the API Key

Perform the following steps to copy the API key from the Fortanix DSM:

1. In the DSM left navigation panel, click the **Apps**menu item, and then click the app created in [*Section 2.4: Creating an Application*](/v1/docs/using-fortanix-data-security-manager-for-nginx-tls-keys#24-creating-an-application)**[](/v1/docs/using-data-security-manager-with-idcentral-key-management#44-creating-an-application)to go to the detailed view of the app.
2. On the **INFO**tab, click **VIEW API KEY DETAILS**.
3. From the **API Key Details**dialog box, copy the **API Key** of the app to be used in [*Section 4.0: Installing the TLS Key and Certificate*](/v1/docs/using-fortanix-data-security-manager-for-nginx-tls-keys#40-installing-the-tls-key-and-certificate).

## 3.0 Obtaining a TLS Key and Certificate

The [*Managing Fortanix Data Security Manager Keys With OpenSSL and PKCS#11 Tool*](/v1/docs/managing-fortanix-data-security-manager-keys-with-openssl-and-pkcs11-tool) article outlines multiple methods for generating or importing a TLS key and certificate. If you’re unsure which method to choose and just want a quick way to test, *refer to*[*Section 3.0 Generating a TLS Key and Importing a CA Issued Certificate*](https://support.fortanix.com/v1/docs/managing-fortanix-data-security-manager-keys-with-openssl-and-pkcs11-tool#30-generating-a-tls-key-and-importing-a-ca-issued-certificate)*.*

## 4.0 Installing the TLS Key and Certificate

Create a file `docker.env` to configure the container. In the template below, change the API key and the key and certificate labels. The PKCS#11 label and Fortanix DSM Security-object description are the same. You can obtain this either from the commands you used to import the key or from the web interface in the security object detail view.

The API key is sensitive, so for production deployments, this file should be protected appropriately.

```bash
FORTANIX_API_ENDPOINT=https://<FORTANIX_DSM_URL>
FORTANIX_API_KEY=<API key from web UI>
FORTANIX_PKCS11_LIBRARY=/usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
FORTANIX_PRIVATE_KEY_LABEL=<label of private key>
FORTANIX_CERTIFICATE_LABEL=<label of certificate>
```

## 5.0 Running the Container

1. Run the container:

```bash
docker run -p 8443:443 --env-file docker.env fortanix/sdkms-nginx
```
2. Open the URL: `https://localhost:8443` in your browser.
  1. If you used a self-signed certificate, your browser will display a certificate warning, but regardless, the server’s private key is now protected by Fortanix DSM.

Fortanix Data Security Manager (DSM) is the world’s first cloud service secured with Intel® SGX. With Fortanix DSM, you can securely generate, store, and use cryptographic keys and certificates, as well as other secrets such as passwords, API keys, tokens, or any blob of data. Your business-critical applications and containers can integrate with Fortanix DSM using legacy cryptographic interfaces (PKCS#11, CNG, and JCE) or using the native Fortanix DSM RESTful interface.

A security object is any datum stored in DSM (for example a key, a certificate, a password, or other security objects). Each security object is assigned to exactly one group. users and applications assigned to the group have permission to see the security object and to perform operations on it.

## Related

- [Fortanix DSM with ShardSecure](/using-fortanix-data-security-manager-with-shardsecure.md)
- [Fortanix DSM with Microsoft SQL Server TDE - Advanced](/data-security-manager-with-microsoft-sql-server-tde-integration-advanced.md)