Nginx Inline SSL

If it possible to install the certificate directly into the config file as opposed to pointing to the file

For example, at the moment I have:-
ssl    on;
ssl_certificate    /etc/ssl/your_domain_name.pem;
ssl_certificate_key    /etc/ssl/your_domain_name.key;

Open in new window


What I want to be able to do is something like:-
ssl    on;
ssl_certificate   
-----BEGIN CERTIFICATE-----
MIIDuDCCAqACCQD/WFGz4SyoeTANBgkqhkiG9w0BAQsFADCBnTELMAkGA1UEBhMC
..........
bVMxlnHqjVHfk3yNmPRRermP6CwYhz6UCJ8RUfVm6FWbpLFX0DtjHABz9B0=
-----END CERTIFICATE----- 


ssl_certificate_key 
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAomLnC/tPIAWrRYe55OktDXL2+pllxZc1oeiKwJS7ZTvbMPda
..........................................
c4IMC+GWovka0zV5BCYBdnB1MVFGIi2tOAPLo58cxrBj7/hWjPDd
-----END RSA PRIVATE KEY----- 

Open in new window


Im currently looking at using NGINX, but have been using Apache. Is it even possible in either?
tonelm54Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
not inline for nginx as "file" is the only available parameter
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key

understand the Nginx also provides the option to pass in the entire client certificate via $ssl_client_cert or $ssl_client_cert_raw. e.g.
$ssl_client_certreturns the client certificate in the PEM format for an established SSL connection, with each line except the first prepended with the tab character; this is intended for the use in the proxy_set_header directive; $ssl_client_fingerprintreturns the SHA1 fingerprint of the client certificate for an established SSL connection (1.7.1); $ssl_client_raw_cert returns the client certificate in the PEM format for an established SSL connection;
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables

I am not totally savvy on its code but likely it can be some "if" and "else" of the variable whether it is of that inline string or may even override by equating .... Need further exploration for those embedded variable and override codes per se if of interest.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
tonelm54,  & btan,

Client certificate is something completely different. It is the certificate supplied by the browser to gain access.
The subject of such a certificate is mostly a username in the form of  "username@domain.toplevel"  signed by some Client-CA.
To accept such a certificate, the Client-CA CA certificate should be known to the server. The SSL Stack only allows a connection when the CA Certificate is known. (can be a certificate that is create yourself with f.e. tinyCA).
(ie. A client certificate identifies a browser user).

The question is about the Server certificate,  which identifies the server. And that can only be refered to by the file.
This does make sense, as this certificate might be used by several services (webserver, imapserver... ), it makes sense to store it in a file because all services need to replace it when the server certificate is expired.
only one file needs to be modified.
btanExec ConsultantCommented:
indeed it make sense as a file as the server SSL certificate hence the file path is alright and acceptable. I believe we understand the aspect of client and server SSL and its requirement. since the query is on specific verification, the variable can be an means to verify if there is one static "string" to check for the ssl keys, of course it may not be advisable for the private key to be in that plain text form in the config (esp if that it going to be open to multiple admin access...exposure is there.

I am also thinking it is sort of cert pinning but it does not change whether it is file pointing or check against static string.. I do advocate the pointer to file which is much more segregated from the config as the latter can be massive with other configuration...and hopefully upgrade and patches does not override config negating the checks added..
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.