Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

Perform the following tasks to configure the Apache HTTP Server:
  1. Set FXPKCS11 environment variables.
  2. Generate a key pair on the CryptoHub by using pkcs11-tool.
  3. Generate a Certificate Signing Request (CSR) using the Apache Server private key.
  4. Create a self-signed root certificate authority (CA).
  5. Sign the Apache Server CSR.
  6. Configure Apache to use the signed certificate and the private key stored in CryptoHub.
  7. (Optional) Create a client certificate for the browser that connects to the Apache HTTP Server.
  8. (Optional) Confirm that Apache uses the TLS certificate and private key stored in CryptoHub for HTTPS connections.

Set environment variables

In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Text
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;

Generate a key pair

Perform the following steps to generate a key pair:
1
In a terminal, run the following command to create a new key pair on the CryptoHub by using pkcs11-tool:
Text
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
At the time of writing, there is a bug in Apache that prevents RSA certificates from being served correctly to the browser. Until the bug is fixed, create and use an ECC certificate as demonstrated.
2
Enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file when prompted for the** User PIN**.
If the command succeeds, the keys display in the output, as shown in the following example:
None
Key pair generated: 
Private Key Object; EC 
label:      apacheeccprivatekey 
ID:         123456 
Usage:      sign 
Public Key Object; EC ECPOINT 256 bits 
ECPOINT:   04410455ff9a32b8c9734cc2d37825a009916abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd 
ECPARAMS:  06082a8648ce3d030107 
label:      apacheecc_privatekey 
ID:         123456 
Usage:      verify
This process creates one private ECC 256-bit key with asymmetric sign usage and one public ECC 256-bit key with verify usage.

Generate a CSR

Before completing the remaining steps in this section, create a directory to store the TLS certificates that will be created, then navigate to that directory.
In a terminal, run the following command to generate a CSR by using the private key that you created on the CryptoHub for Apache Server:
Text
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
The common name of the Apache server certificate should match the domain name of the virtual host it is configured for.

Create a CA

This example uses a self-signed root certificate authority (CA). In a production environment, you should use a secure certificate authority (such as the CryptoHub) for all private key generation and certificate signing operations.
Run the following commands in a terminal to generate a root private key and self-signed certificate. You use this certificate to sign the Apache Server certificate in the next section.
Text
openssl genrsa -out ssl-ca-privatekey.pem 2048
openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365

Sign the Apache Server CSR

In a terminal, run the following command to issue a signed Apache Server certificate by using the self-signed root CA created in the previous step:
Text
openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem

Configure Apache

This section covers modifying the configuration file for a virtual host running in Apache. Configuring a virtual host is outside the scope of this guide. Refer to this article for your operating system if you have not configured a virtual host. Perform the following steps to configure Apache to use the signed certificate and the private key stored in CryptoHub:
1
In a text editor, open the configuration file for the virtual host for which you want to configure HTTPS and modify it as shown in the following example:
The location of the configuration file is specific to your system.
Text
<IfModule mod_ssl.c> 
    <VirtualHost _default_:443> 
        ServerAdmin webmaster@localhost 
   ServerName myserver.local 
   DocumentRoot /var/www/myserver.local 
   ErrorLog ${APACHE_LOG_DIR}/error.log 
   CustomLog ${APACHE_LOG_DIR}/access.log combined 
   SSLEngine on 
   SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem 
   SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private" 
   <FilesMatch "\.(?:cgi|shtml|phtml|php)$"> 
       SSLOptions +StdEnvVars 
   </FilesMatch> 
   <Directory /usr/lib/cgi-bin> 
       SSLOptions +StdEnvVars 
   </Directory> 
    </VirtualHost> 
</IfModule>
You must modify the location of the signed Apache certificate specified in the SSLCertificateFile define according to where you stored it on your system.
The object name of the Apache private key specified in the SSLCertificateKeyFile define must match the label that you set in the pkcs11-tool command.
2
Restart Apache to save and apply the configuration.

(Optional) Create a client certificate

This step is required only if you want to use mutual authentication.
Perform the following steps to create a client certificate for the browser that connects to the Apache HTTP Server:
1
In a terminal, generate a client key pair with the following command:
Text
openssl genrsa -out ssl-client-privatekey.pem 2048
2
Create a client certificate signing request:
Text
openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
3
Sign the CSR with the CA certificate:
Text
openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
4
Convert the signed client certificate to PKCS #12 format for insertion into the browser:
Text
openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12

(Optional) Confirm Apache configuration

If you did not create a client certificate for mutual authentication in the previous section, skip this step.
The following steps assume you are using a Firefox web browser. There might be some differences in the actions taken when using a different browser, but the overall intent of the process is the same.
Perform the following steps to confirm that Apache uses the TLS certificate and private key stored in CryptoHub for HTTPS connections:
1
In Firefox, go toSettings > Privacy & Security > Certificates and select [ View Certificates ]
2
Under the Your Certificates tab, select [ Import ] to import the client certificate converted to PKCS #12 (ssl-client-pkcs12.p12).
3
Under the Authorities tab, select [ Import ] to import the CA certificate (such as ssl-ca-cert.pem).
4
Go to the IP address from which Apache is running over HTTPS.
If a client certificate was configured in the browser for mutual authentication, you should see a lock icon next to the web address. If you did not configure a client certificate, bypass the warning and connect to the website.
5
View the certificate that the website served to the browser and confirm that it is the certificate that was configured in Apache.