Summary

I would like to request the addition of support for OpenSSL 3.0's Provider API in nginx, particularly in the ssl_certificate_key directive. This would enable the directive to accept a provider-based key reference in the format provider:name:id, allowing seamless integration with hardware-backed key management systems like TPM 2.0 via the tpm2-openssl provider.

Background

I am using a TPM 2.0 chip to secure my webserver's TLS private key from theft by leveraging the tpm2-openssl provider. Previously, with OpenSSL 1.1.1x, I used the engine:tpm2tss:handler (https://github.com/tpm2-software/tpm2-tss-engine) mechanism to access the TPM-stored key. However, OpenSSL 3.0 has deprecated the "ENGINE API" in favor of the "Provider API."

nginx currently does not support specifying a provider in the ssl_certificate_key directive, which prevents it from leveraging OpenSSL 3.0’s modern Provider API. Without this support, users are unable to configure nginx to interact with hardware-backed cryptographic solutions like TPM 2.0 for enhanced key protection.

Expected Functionality

The ssl_certificate_key directive should allow specifying keys using the provider:name:id format. For example:

ssl_certificate_key provider:tpm2:0810009;  

This configuration would enable nginx to interact with the tpm2-openssl provider to securely use a private key stored in a TPM 2.0 chip.

Use Case

This feature would enable users to:

• Leverage hardware encryption with TPM 2.0 for securing TLS private keys.
• Transition from OpenSSL 1.1.1x to OpenSSL 3.0 without losing the ability to use hardware-backed keys.
• Enhance key security by removing plaintext private keys from disk.

Stack and Environment

• nginx Version: 1.25.5
• OpenSSL Version: 3.0.2
• TPM Provider: tpm2-openssl - https://github.com/tpm2-software/tpm2-openssl
• TPM Middleware: tpm2-tss - https://github.com/tpm2-software/tpm2-tss
• OS and Version: Ubuntu 22.04