With the Fortanix Self-Defending Key Management Service, you can offload TLS crytographic processing from your NGINX and NGINX Plus servers, and safely store your TLS keys for on-demand uploading into the NGINX Plus key-value store. We provide complete instructions for both use cases.
In high-security environments, it's important to store sensitive data like SSL certificate-key pairs in memory only, not on disk. Here we show how to generate ephemeral SSL key pairs using HashiCorp Vault and store them in the in-memory NGINX Plus key-value store.
In this installment of our "Ask NGINX" series, we discuss how NGINX and NGINX Plus work with Diffie-Hellman, support for Datagram Transport Layer Security, how to control the lifetime of content in the cache, and how to add the NGINX WAF to an NGINX Plus subscription.
With NGINX conditional logging, you can log a subset of requests which have defined characteristics. This blog uses it to solve a real-world customer use case: the need to reject obsolete and insecure SSL/TLS ciphers without excluding legitimate users of legacy devices.
The second post of our series about protecting SSL private keys shows how to set up HashiCorp Vault to store the passwords that protect private keys, and to configure NGINX to retrieve the passwords. We also discuss using a hardware security module for even greater security.
We describe three progressively more secure ways to protect SSL private keys when configuring NGINX to handle HTTPS traffic: allowing read access only to the root user, encrypting keys with separately stored passwords, and distributing passwords from a central repository.