NGINX is a popular open-source HTTP server and reverse proxy. Fortanix Self-Defending KMS can be used to protect the TLS private key for your NGINX server, keeping the private key secure even if the host running NGINX is compromised.
This page describes how to set up your NGINX server to use a TLS private key stored in Fortanix Self-Defending KMS. To get started quickly, you can use a Fortanix-provided docker image. Retrieve the image by running
docker pull fortanix/sdkms-nginx.
Obtaining a TLS key and certificate
The Managing Self-Defending KMS Keys With OpenSSL article describes several ways of generating or importing a TLS key and certificate. If you aren’t sure which flow to use and just want to test things out, you can use the section titled “Generating a TLS key and self-signed certificate”
Installing the TLS key and certificate
Create a file
docker.env to configure the container. In the template below, change the API key and the key and certificate labels. The PKCS11 label and Self-Defending KMS security object description are the same. You can obtain this either from the commands you used to import the key or from the web interface in the security object detail view.
The API key is sensitive, so for production deployments, this file should be protected appropriately.
FORTANIX_API_ENDPOINT=https://sdkms.fortanix.com FORTANIX_API_KEY=<API key from web UI> FORTANIX_PKCS11_LIBRARY=/usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so FORTANIX_PRIVATE_KEY_LABEL=<label of private key> FORTANIX_CERTIFICATE_LABEL=<label of certificate>
Running the container
Run the container with:
docker run -p 8443:443 --env-file docker.env fortanix/sdkms-nginx
And open https://localhost:8443 in your browser. If you used a self-signed certificate, your browser will display a certificate warning, but regardless, the server’s private key is now protected by Fortanix Self-Defending KMS.