> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Apache HTTP Server

> Detailed configuration steps for Apache HTTP Server including key generation and CSR signing.

Perform the following tasks to configure the Apache HTTP Server:

1. Set **FXPKCS11** environment variables.
2. Generate a key pair on the CryptoHub by using **pkcs11-tool**.
3. Generate a Certificate Signing Request (CSR) using the Apache Server private key.
4. Create a self-signed root certificate authority (CA).
5. Sign the Apache Server CSR.
6. Configure Apache to use the signed certificate and the private key stored in CryptoHub.
7. (Optional) Create a client certificate for the browser that connects to the Apache HTTP Server.
8. (Optional) Confirm that Apache uses the TLS certificate and private key stored in CryptoHub for HTTPS connections.

## Set environment variables

In a terminal, run the following commands to set the required **FXPKCS11** environment variables:

```text expandable lines wrap title="Text" theme={null}
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
```

## Generate a key pair

Perform the following steps to generate a key pair:

<Steps>
  <Step>
    In a terminal, run the following command to create a new key pair on the CryptoHub by using **pkcs11-tool**:

    ```text expandable lines wrap title="Text" theme={null}
    pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
    ```

    <Note>
      At the time of writing, there is a bug in Apache that prevents RSA certificates from being served correctly to the browser. Until the bug is fixed, create and use an ECC certificate as demonstrated.
    </Note>
  </Step>

  <Step>
    Enter the identity password configured inside the `<CRYPTO-OPR-PASS>` tag in the `fxpkcs11.cfg` file when prompted for the\*\* User PIN\*\*.

    <Check>
      If the command succeeds, the keys display in the output, as shown in the following example:

      ```none expandable lines wrap title="None" theme={null}
      Key pair generated: 
      Private Key Object; EC 
      label:      apacheeccprivatekey 
      ID:         123456 
      Usage:      sign 
      Public Key Object; EC ECPOINT 256 bits 
      ECPOINT:   04410455ff9a32b8c9734cc2d37825a009916abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd 
      ECPARAMS:  06082a8648ce3d030107 
      label:      apacheecc_privatekey 
      ID:         123456 
      Usage:      verify
      ```

      This process creates one private ECC 256-bit key with asymmetric sign usage and one public ECC 256-bit key with verify usage.
    </Check>
  </Step>
</Steps>

## Generate a CSR

<Note>
  Before completing the remaining steps in this section, create a directory to store the TLS certificates that will be created, then navigate to that directory.
</Note>

In a terminal, run the following command to generate a CSR by using the private key that you created on the CryptoHub for Apache Server:

```text expandable lines wrap title="Text" theme={null}
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
```

<Check>
  The common name of the Apache server certificate should match the domain name of the virtual host it is configured for.
</Check>

## Create a CA

<Note>
  This example uses a self-signed root certificate authority (CA). In a production environment, you should use a secure certificate authority (such as the CryptoHub)  for all private key generation and certificate signing operations.
</Note>

Run the following commands in a terminal to generate a root private key and self-signed certificate. You use this certificate to sign the Apache Server certificate in the next section.

```text expandable lines wrap title="Text" theme={null}
openssl genrsa -out ssl-ca-privatekey.pem 2048
openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
```

## Sign the Apache Server CSR

In a terminal, run the following command to issue a signed Apache Server certificate by using the self-signed root CA created in the previous step:

```text expandable lines wrap title="Text" theme={null}
openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem
```

## Configure Apache

This section covers modifying the configuration file for a virtual host running in Apache. Configuring a virtual host is outside the scope of this guide. Refer to

[**this article**](https://www.digitalocean.com/community/tutorial_collections/how-to-install-apache) for your operating system if you have not configured a virtual host.

Perform the following steps to configure Apache to use the signed certificate and the private key stored in CryptoHub:

<Steps>
  <Step>
    In a text editor, open the configuration file for the virtual host for which you want to configure HTTPS and modify it as shown in the following example:

    <Note>
      The location of the configuration file is specific to your system.
    </Note>

    ```text expandable lines wrap title="Text" theme={null}
    <IfModule mod_ssl.c> 
        <VirtualHost _default_:443> 
            ServerAdmin webmaster@localhost 
       ServerName myserver.local 
       DocumentRoot /var/www/myserver.local 
       ErrorLog ${APACHE_LOG_DIR}/error.log 
       CustomLog ${APACHE_LOG_DIR}/access.log combined 
       SSLEngine on 
       SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem 
       SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private" 
       <FilesMatch "\.(?:cgi|shtml|phtml|php)$"> 
           SSLOptions +StdEnvVars 
       </FilesMatch> 
       <Directory /usr/lib/cgi-bin> 
           SSLOptions +StdEnvVars 
       </Directory> 
        </VirtualHost> 
    </IfModule>
    ```

    <Note>
      You must modify the location of the signed Apache certificate specified in the `SSLCertificateFile` define according to where you stored it on your system.
    </Note>

    <Note>
      The object name of the Apache private key specified in the `SSLCertificateKeyFile` define must match the label that you set in the pkcs11-tool command.
    </Note>
  </Step>

  <Step>
    Restart Apache to save and apply the configuration.
  </Step>
</Steps>

## (Optional) Create a client certificate

<Note>
  This step is required only if you want to use mutual authentication.
</Note>

Perform the following steps to create a client certificate for the browser that connects to the Apache HTTP Server:

<Steps>
  <Step>
    In a terminal, generate a client key pair with the following command:

    ```text expandable lines wrap title="Text" theme={null}
    openssl genrsa -out ssl-client-privatekey.pem 2048
    ```
  </Step>

  <Step>
    Create a client certificate signing request:

    ```text expandable lines wrap title="Text" theme={null}
    openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
    ```
  </Step>

  <Step>
    Sign the CSR with the CA certificate:

    ```text expandable lines wrap title="Text" theme={null}
    openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
    ```
  </Step>

  <Step>
    Convert the signed client certificate to PKCS #12 format for insertion into the browser:

    ```text expandable lines wrap title="Text" theme={null}
    openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
    ```
  </Step>
</Steps>

### (Optional) Confirm Apache configuration

<Note>
  If you did not create a client certificate for mutual authentication in the previous section, skip this step.
</Note>

<Note>
  The following steps assume you are using a Firefox web browser. There might be some differences in the actions taken when using a different browser, but the overall intent of the process is the same.
</Note>

Perform the following steps to confirm that Apache uses the TLS certificate and private key stored in CryptoHub for HTTPS connections:

<Steps>
  <Step>
    In Firefox, go to**Settings** > **Privacy & Security** > **Certificates** and select **\[ View Certificates ]**
  </Step>

  <Step>
    Under the **Your Certificates** tab, select **\[ Import ]** to import the client certificate converted to PKCS #12 (`ssl-client-pkcs12.p12`).
  </Step>

  <Step>
    Under the **Authorities** tab, select **\[ Import ]** to import the CA certificate (such as `ssl-ca-cert.pem`).
  </Step>

  <Step>
    Go to the IP address from which Apache is running over HTTPS.

    <Note>
      If a client certificate was configured in the browser for mutual authentication, you should see a lock icon next to the web address. If you did not configure a client certificate, bypass the warning and connect to the website.
    </Note>
  </Step>

  <Step>
    View the certificate that the website served to the browser and confirm that it is the certificate that was configured in Apache.
  </Step>
</Steps>
