Configuring Key and Certificate Settings
To authenticate NGINX in CipherTrust Manager, you need to create a user in the CipherTrust Manager. For more details, refer to the CipherTrust Manager Documentation.
To configure the keys and certificate:
Create a file named passfile and specify the CipherTrust Manager credentials in the file:
<username>:<password>.Create or update the /etc/Chrystoki.conf file with the following variables:
LibPath64 = <PKCS11 library file path used by 64 Arch>;For example,
LibPath64 = /opt/libIngPKCS11.so;LibPath = <PKCS11 library file path used by 32 Arch>;For example,
LibPath = /opt/libIngPKCS11.so;EngineInit = 1:0:0:passfile=<path to passfile>;For example,
EngineInit = 1:0:0:passfile=/opt/passfile&>;
Set the
opensslandnginxpaths as default.It is recommended to add the following export entry to any shell profile:
export PATH=<OPENSSL INSTALLATION DIRECTORY>/bin:<NGINX INSTALLATION DIRECTORY>/sbin:$PATH
Example:export PATH=/opt/openssl/ssl/bin:/opt/nginx>/sbin:$PATHCreate server.key file with OpenSSL kengine to implement SSL for NGINX.
While creating
server.key, specify the key file location in the NGINX configuration file (<NGINX INSTALLATION DIRECTORY>/conf/nginx.conf)openssl genrsa -engine kengine -out <SERVER KEY FILE PATH> 2048Example:
openssl genrsa -engine kengine -out /opt/nginx/conf/server.key 2048Create a server.crt file.
Raise a certificate request and get it signed by a verified CA.
openssl req -engine kengine -new -x509 -days 365 -key <SERVER KEY FILE PATH> -keyform engine -out <SERVER CERTIFICATE FILE PATH>Example:
openssl req -engine kengine -new -x509 -days 365 -key /opt/nginx/conf/server.key -keyform engine -out /opt/nginx/conf/server.crtIn the /etc/Chrystoki.conf file, set
EnableRsaGenKeyPair = 0.
