sxg_cert_path
The `sxg_cert_path` directive specifies the file path for serving a certificate used in Signed HTTP Exchanges (SXG).
Description
The sxg_cert_path directive defines an absolute filesystem path where the SXG certificate file will be stored. This path is critical for the sxg_cert_url, which is the URL where the CBOR-encoded certificate is to be served from. When specified, NGINX will automatically generate the CBOR-encoded certificate from the PEM certificate provided by the sxg_certificate directive and refresh it as needed. This process requires that the OCSP responder for the certificate is reachable from the server, ensuring that valid OCSP responses can be obtained to keep the certificate updated.
When deployed correctly, the sxg_cert_path allows for seamless integration with other SXG-related directives, enhancing the functionality of serving signed exchanges. If not specified, the sxg_cert_url will serve stale certificates or possibly fail if the certificate cannot be pre-generated. This directive is optional, but specifying it is essential for dynamic certificate handling and is highly recommended for production environments.
Config Example
server {
listen 80;
server_name example.com;
sxg_cert_path /etc/nginx/sxg/certificate.cbor;
sxg_certificate /etc/ssl/certs/my_certificate.pem;
sxg_certificate_key /etc/ssl/private/my_key.pem;
sxg_cert_url https://example.com/cert-chain+cbor;
sxg_validity_url https://example.com/validity.json;
sxg_enable on;
}Ensure the specified path is writable by the NGINX user, or it may fail to generate/update certificates.
The OCSP responder must be accessible; otherwise, the certificates will not be validated correctly, leading to potential failures in serving SXGs.
The path must be an absolute path; relative paths will lead to misconfigurations.