Data protection
Apache HTTP Server
Configure Apache HTTP Server
12min
perform the following tasks to configure the apache http server set fxpkcs11 environment variables generate a key pair on the {{ch}} by using pkcs11 tool generate a certificate signing request (csr) using the apache server private key create a self signed root certificate authority (ca) sign the apache server csr configure apache to use the signed certificate and the private key stored in {{ch}} (optional) create a client certificate for the browser that connects to the apache http server (optional) confirm that apache uses the tls certificate and private key stored in {{ch}} for https connections set environment variables in a terminal, run the following commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; generate a key pair perform the following steps to generate a key pair in a terminal, run the following command to create a new key pair on the {{ch}} by using pkcs11 tool pkcs11 tool module $fxpkcs11 module login keypairgen key type ec\ prime256v1 label "apache ecc privatekey" id "123456" at the time of writing, there is a bug in apache that prevents rsa certificates from being served correctly to the browser until the bug is fixed, create and use an ecc certificate as demonstrated enter the identity password configured inside the \<crypto opr pass> tag in the fxpkcs11 cfg file when prompted for the user pin if the command succeeds, the keys display in the output, as shown in the following example key pair generated private key object; ec label apache ecc privatekey id 123456 usage sign public key object; ec ec point 256 bits ec point 04410455ff9a32b8c9734cc2d37825a009916abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd ec params 06082a8648ce3d030107 label apache ecc privatekey id 123456 usage verify this process creates one private ecc 256 bit key with asymmetric sign usage and one public ecc 256 bit key with verify usage generate a csr before completing the remaining steps in this section, create a directory to store the tls certificates that will be created, then navigate to that directory in a terminal, run the following command to generate a csr by using the private key that you created on the {{ch}} for apache server openssl req new engine pkcs11 keyform engine key "pkcs11\ object=apache ecc privatekey" out apache cert req pem the common name of the apache server certificate should match the domain name of the virtual host it is configured for create a ca this example uses a self signed root certificate authority (ca) in a production environment, you should use a secure certificate authority (such as the {{ch}} ) for all private key generation and certificate signing operations run the following commands in a terminal to generate a root private key and self signed certificate you use this certificate to sign the apache server certificate in the next section openssl genrsa out ssl ca privatekey pem 2048 openssl req new x509 key ssl ca privatekey pem out ssl ca cert pem days 365 sign the apache server csr in a terminal, run the following command to issue a signed apache server certificate by using the self signed root ca created in the previous step openssl x509 req in apache cert req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out signed apache cert pem configure apache this section covers modifying the configuration file for a virtual host running in apache configuring a virtual host is outside the scope of this guide refer to this article for your operating system if you have not configured a virtual host perform the following steps to configure apache to use the signed certificate and the private key stored in {{ch}} in a text editor, open the configuration file for the virtual host for which you want to configure https and modify it as shown in the following example the location of the configuration file is specific to your system \<ifmodule mod ssl c> \<virtualhost default 443> serveradmin webmaster\@localhost servername myserver local documentroot /var/www/myserver local errorlog ${apache log dir}/error log customlog ${apache log dir}/access log combined sslengine on sslcertificatefile /etc/apache2/ssl/signed apache cert pem sslcertificatekeyfile "pkcs11\ object=apache ecc privatekey;type=private" \<filesmatch "\\ (?\ cgi|shtml|phtml|php)$"> ssloptions +stdenvvars \</filesmatch> \<directory /usr/lib/cgi bin> ssloptions +stdenvvars \</directory> \</virtualhost> \</ifmodule> you must modify the location of the signed apache certificate specified in the sslcertificatefile define according to where you stored it on your system the object name of the apache private key specified in the sslcertificatekeyfile define must match the label that you set in the pkcs11 tool command restart apache to save and apply the configuration (optional) create a client certificate this step is required only if you want to use mutual authentication perform the following steps to create a client certificate for the browser that connects to the apache http server in a terminal, generate a client key pair with the following command openssl genrsa out ssl client privatekey pem 2048 create a client certificate signing request openssl req new key ssl client privatekey pem out ssl client req pem days 365 sign the csr with the ca certificate openssl x509 req in ssl client req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out ssl client cert pem convert the signed client certificate to pkcs #12 format for insertion into the browser openssl pkcs12 inkey ssl client privatekey pem in ssl client cert pem cafile ssl ca cert pem export out ssl client pkcs12 p12 (optional) confirm apache configuration if you did not create a client certificate for mutual authentication in the previous section, skip this step the following steps assume you are using a firefox web browser there might be some differences in the actions taken when using a different browser, but the overall intent of the process is the same perform the following steps to confirm that apache uses the tls certificate and private key stored in {{ch}} for https connections in firefox, go to settings > privacy & security > certificates and select \[ view certificates ] under the your certificates tab, select \[ import ] to import the client certificate converted to pkcs #12 ( ssl client pkcs12 p12 ) under the authorities tab, select \[ import ] to import the ca certificate (such as ssl ca cert pem ) go to the ip address from which apache is running over https if a client certificate was configured in the browser for mutual authentication, you should see a lock icon next to the web address if you did not configure a client certificate, bypass the warning and connect to the website view the certificate that the website served to the browser and confirm that it is the certificate that was configured in apache