> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Apache HTTP Server

> Step-by-step instructions to configure Apache HTTP Server with PKCS11 integration.

To configure the Apache HTTP Server, you need to perform the following tasks:

1. Set **FXPKCS11** environment variables.
2. Create a key pair on the KMES Series 3 with `pkcs11-tool`.
3. Generate a CSR by using the Apache Server private key.
4. Create a self-signed root certificate authority (CA).
5. Sign the Apache Server CSR.
6. Configure Apache to use the signed certificate and the private key stored on the KMES Series 3.
7. (Optional) Create a client certificate for the browser that connects to the Apache HTTP Server.
8. Confirm that Apache uses the new TLS certificate and private key (stored on the KMES) for HTTPS connections.

The following sections provide the steps to perform these tasks.

## Set FXPKCS11 environment variables

In a terminal, run the following sequence of commands to set the required **FXPKCS11** environment variables:

```shell expandable lines wrap title="Shell" theme={null}
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
```

## Create a key pair

Perform the following steps to create a key pair on the KMES Series 3with **pkcs11-tool**:

<Steps>
  <Step>
    In a terminal, run the following command to create a new key pair on the KMES Series 3 with `pkcs11-tool`:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
    ```

    Currently, Apache has a bug that prevents RSA certificates from being served correctly to the browser. This bug might be fixed, but we recommend that you create and use an ECC certificate as demonstrated in the code example.
  </Step>

  <Step>
    Enter the password of the identity configured in `fxpkcs11.cfg` when prompted for the User PIN.

    <Check>
      If the command succeeds, the output includes the keys (a private ECC 256-bit key with asymmetric sign usage and a public ECC 256-bit key with verify usage), as shown in the following output sample:

      ```none expandable lines wrap title="None" theme={null}
      Key pair generated:
      Private Key Object; EC
      label: apacheeccprivatekey
      ID: 123456
      Usage: sign
      Public Key Object; EC ECPOINT 256 bits
      ECPOINT: 04410455ff9a32b8c9734cc2d37825a009916-
      abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd
      ECPARAMS: 06082a8648ce3d030107
      label: apacheecc_privatekey
      ID: 123456
      Usage: verify
      ```
    </Check>
  </Step>

  <Step>
    In the KMES application interface, you can view a new asymmetric key group  (using the value specified with the `<ASYM-KEYGROUP-NAME>` tag in`fxpkcs11.cfg`), and the key group includes a key pair with the name specified in the preceding `pkcs11-tool` command.
  </Step>
</Steps>

## Generate a CSR

Before completing the steps in this section, create a directory to store the new TLS certificates and go to that directory. Then, perform the following process to create a CSR by using the Apache Server private key:

In a terminal, run the following command to generate a CSR by using the private key that you created on the KMES Series 3 for Apache Server:

```shell expandable lines wrap title="Shell" theme={null}
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
```

The common name for the Apache server certificate should match the domain name of the virtual host that uses it.

## Create a self-signed root CA

This section uses a self-signed root certificate authority (CA) for demonstration purposes. In a production environment, you should use a secure certificate authority (such as the KMES Series 3) for all private key generation and certificate signing operations.

In a terminal, run the following sequence of commands to generate a root private key and self-signed certificate. This certificate signs the Apache Server certificate in the next section.

```shell expandable lines wrap title="Shell" theme={null}
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048
sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
```

## Sign the CSR

In a terminal, run the following command to issue a signed Apache Server certificate by using the self-signed root CA created in the previous step:

```shell expandable lines wrap title="Shell" theme={null}
sudo openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem
```

## Configure Apache

This section explains how to modify the configuration file for a virtual host running in Apache. Configuring a virtual host is outside of the scope of this guide. Refer to the following documentation ([**www.digitalocean.com/community/tutorial-collections/how-to-install-apache**](http://www.digitalocean.com/community/tutorial-collections/how-to-install-apache)) specific to your operating system if you have not already configured a virtual host.

Perform the following steps to configure Apache to use the signed certificate and the private key stored on the KMES Series 3:

<Steps>
  <Step>
    In a text editor, open the configuration file for the virtual host for which you want to configure HTTPS. The location of the configuration file varies depending on your system. Modify the file as shown in the following example:

    ```none expandable lines wrap title="None" theme={null}
    <IfModule mod_ssl.c>
           <VirtualHost _default_:443>

                   ServerAdmin webmaster@localhost
                   ServerName myserver.local
                   DocumentRoot /var/www/myserver.local
                   ErrorLog ${APACHE_LOG_DIR}/error.log
                   CustomLog ${APACHE_LOG_DIR}/access.log combined
                   SSLEngine on
                   SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem
                   SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private"

                   <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
                                   SSLOptions +StdEnvVars
                   </FilesMatch>
                   <Directory /usr/lib/cgi-bin>
                                   SSLOptions +StdEnvVars
                   </Directory>
           </VirtualHost>
    </IfModule>
    ```

    <Warning>
      You must modify the location of the signed Apache certificate specified in the `SSLCertificateFile`define according to where it is stored on your system.
    </Warning>

    <Warning>
      You must modify the object name of the Apache private key specified in the `SSLCertificateKeyFile` define so it matches the label set in the `pkcs11-tool` command.
    </Warning>
  </Step>

  <Step>
    Restart Apache to save to apply the modified configuration.
  </Step>
</Steps>

## (Optional) Create a client certificate

Complete this step only if you want to use mutual authentication. Perform the following steps to create a client certificate for the browser that connects to Apache HTTP Server:

<Steps>
  <Step>
    In a terminal, generate a client key pair by using the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo openssl genrsa -out ssl-client-privatekey.pem 2048
    ```
  </Step>

  <Step>
    Run the following command to create a client certificate signing request:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
    ```
  </Step>

  <Step>
    Run the following command to sign the CSR with the CA certificate created earlier in this section:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
    ```
  </Step>

  <Step>
    Run the following command to convert the signed client certificate to PKCS #12 format for insertion into the browser:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
    ```
  </Step>
</Steps>

## Confirm Apache configuration

<Note>
  If you did not create a client certificate for mutual authentication in the previous section, start at step 4 of the following procedure.
</Note>

The following steps assume you are using the Firefox web browser. Some actions might yield different results when using other browsers, but the overall experience is the same.

Perform the following steps to confirm that Apache uses the new TLS certificate and private key (stored on the KMES) for HTTPS connections:

<Steps>
  <Step>
    In Firefox, select **Settings**>
    **Privacy & Security**>
    **Certificates** and then select **\[ View Certificates ]**.
  </Step>

  <Step>
    On the **Your Certificates** tab, select **\[ Import ]** to import the client certificate that was converted to PKCS #12 (`ssl-client-pkcs12.p12`).
  </Step>

  <Step>
    On the **Authorities** tab, select **\[ Import ]** to import the CA certificate ( `ssl-ca-cert.pem`).
  </Step>

  <Step>
    to the IP address from which Apache is running over HTTPS.

    <Check>
      If you configured a client certificate in the browser for mutual authentication, you should see a lock icon next to the web address. If you did not configure a client certificate, bypass the warning that displays and connect to the website anyway.
    </Check>
  </Step>

  <Step>
    View the certificate that the website served to the browser and confirm that it is the certificate configured in Apache.
  </Step>
</Steps>
