I've been researching how to secure privaye keys for SSL certificats using nginx as a webserver, but have not been able to find many satisfactory answers.
Specifically, for a client who wants to me to deploy a website under their own sub-domain, they are afraid that someone could access their sub-domain's certificate private key, and hence setup a legitimate-looking unsafe website. They have asked me to use some kind of software vault solution to secure they private key.
This article from nginx's blog as well as this one describe some solutions, but in the end they both rely on the same principle: the private key is protected by a passphrase, that we will retrieve from either a local or remote location, and this "retrieval" procedure requires a password/token.. that is stored locally.
Hence I fail to understand how the private key really gets more secure - it looks a bit like locking your frontdoor key in a keybox instead of leaving it under the mat... and then leaving the keybox key under the mat.
Am I missing something? Is there a better way to secure a private key with nginx?
Based on your last comment, I see several options:
/etc/ssl. Hacking a hosted website is much more common than the entire server, and that way, there is protection against it being read that way.And about giving you an SSL certificate: they don't have to. You can just set up Letsencrypt. Added bonus is that those certificates are short lived.
There is one solution, but, indeed, it does not remove the need to trust your server. If you Client is willing to put his record to your server, he has to trust you, somehow. There is one solution that might protect your Client.
They point subdomain to Web Application Firewall, like Cloudflare. They create you an Origin certificate (the one that is on your server) and send you certificate and key, via trusted communication protocol, like GPG.
They point this subdomain to your servers IP address.
They do not give you access to their Cloudflare account.
Keeping all of that. They control Edge certificate. They control Origin certificate. They can always revoke it. They control their domain. The only thing, your Client does not control is of course your server. ;)
Of course, the whole security setup presented by @Halfgaar is still up to date.
————————————————————-
If you want to build trust, you can show audits from your server. Present audit logs. Prove that your servers security is compliant with standards, like NISM or STIGS.
Everything is covered up by the comments and answers, I would just
like to add up, stealing the certificates alone is not enough. The attacker also has to come up with valid domain for which the certificate has been verified.
In case of phishing attacks the website might look the same but the
domain might not be the same, and the certificates won't work with different domain.
Until the DNS is pointing correct IP, and DNS is not spoofed or messed, stealing the SSL certificates is useless.
In this situation where client is somewhat in doubt, you can use let's encrypt certificates which comes with less period
of validity (90 days). And have to be renewed regularly.
Obtaining and renewing Let's encrypt certificates needs domain verification each time. So stealing the certificates won't be much useful for long time.