Nginx – Securing SSL certificate private key with nginx

nginxprivate-keysslvault

I've been researching how to secure privaye keys for SSL certificats using nginx as a webserver, but have not been able to find many satisfactory answers.

Specifically, for a client who wants to me to deploy a website under their own sub-domain, they are afraid that someone could access their sub-domain's certificate private key, and hence setup a legitimate-looking unsafe website. They have asked me to use some kind of software vault solution to secure they private key.

This article from nginx's blog as well as this one describe some solutions, but in the end they both rely on the same principle: the private key is protected by a passphrase, that we will retrieve from either a local or remote location, and this "retrieval" procedure requires a password/token.. that is stored locally.

Hence I fail to understand how the private key really gets more secure – it looks a bit like locking your frontdoor key in a keybox instead of leaving it under the mat… and then leaving the keybox key under the mat.

Am I missing something? Is there a better way to secure a private key with nginx?

Best Answer

Based on your last comment, I see several options:

You show you have good SSH security, which can be IP whitelisted access, no password logins, etc.
You show the private key file is readable only to the root user and stored outside of the document root, for example, as common somewhere in /etc/ssl. Hacking a hosted website is much more common than the entire server, and that way, there is protection against it being read that way.
About the above point: careful of running docker containers; they typically run as root, and are, in my opinion, a security issue. Docker containers can run rootless (experimental), but images have to be designed specifically to do so. Most images you get elsewhere, depend on being root. Anything in it running as root can break the jail. (Edit: it indeed requires some nuance after re-evaluation. I should say, could break the jail. It does depend on some extra mechanisms being secure, that you otherwise wouldn't need to worry about.)
If they are really concerned, they should set up a reverse proxy to your server, and they can do the SSL termination on their end.

And about giving you an SSL certificate: they don't have to. You can just set up Letsencrypt. Added bonus is that those certificates are short lived.

For Git Bash

If you are running msysgit (I am assuming you are) and are looking to run Git Bash (I recommend it over TortoiseGit, but I lean to the CLI more than GUI now), you need to figure out what your home directory is for Git Bash by starting it then type pwd (On Windows 7, it will be something like C:\Users\phsr I think). While you're in Git Bash, you should mkdir .ssh.

After you have the home directory, and a .ssh folder under that, you want to open PuTTYgen and open the key (.ppk file) you have previously created. Once your key is open, you want to select Conversions -> Export OpenSSH key and save it to HOME\.ssh\id_rsa. After you have the key at that location, Git Bash will recognize the key and use it.

Note: Comments indicate that this doesn't work in all cases. You may need to copy the OpenSSH key to Program Files\Git\.ssh\id_rsa (or Program Files (x86)\Git\.ssh\id_rsa).

For TortoiseGit

When using TortoiseGit, you need to set the SSH key via pacey's directions. You need to do that for every repository you are using TortoiseGit with.

Best Answer

Related Solutions

SSH Key – How to Create a Public Key from a Private Key

Git for Windows – How to Tell Git Where to Find Private RSA Key

For Git Bash

For TortoiseGit

Related Topic