Configure Apache HTTP Server

13min
Perform the following tasks to configure the Apache HTTP Server:
1 | Set FXPKCS11 environment variables
In a terminal, run the following commands to set the required FXPKCS11 environment variables:
Text
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
2 | Generate a keypair on the  using pkcs11-tool
In a terminal, run the following command to create a new key pair on the  using pkcs11-tool:
Text
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
﻿
At the time of writing, there is a bug in Apache that prevents RSA certificates from being served correctly to the browser. This bug may be fixed, but to be safe it is recommended to create and use an ECC certificate as demonstrated.

Enter the identity password configured inside the <CRYPTO-OPR-PASS> tag in the fxpkcs11.cfg file when prompted for the User PIN. If the command is successful the keys will be listed in the output, as shown below:
Text
Key pair generated: 
Private Key Object; EC 
label:      apache_ecc_privatekey 
ID:         123456 
Usage:      sign 
Public Key Object; EC EC_POINT 256 bits 
EC_POINT:   04410455ff9a32b8c9734cc2d37825a009916abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd 
EC_PARAMS:  06082a8648ce3d030107 
label:      apache_ecc_privatekey 
ID:         123456 
Usage:      verify
Key pair generated: 
Private Key Object; EC 
label:      apache_ecc_privatekey 
ID:         123456 
Usage:      sign 
Public Key Object; EC EC_POINT 256 bits 
EC_POINT:   04410455ff9a32b8c9734cc2d37825a009916abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd 
EC_PARAMS:  06082a8648ce3d030107 
label:      apache_ecc_privatekey 
ID:         123456 
Usage:      verify
﻿
One private ECC 256-bit key was created with asymmetric sign usage, and one public ECC 256-bit key was created with verify usage.
3 | Generate a Certificate Signing Request (CSR) using the Apache Server private key
Before completing the remaining steps in this section, create a directory to store the TLS certificates that will be created, then navigate to that directory.
In a terminal, run the following command to generate a CSR using the private key that you created on the  for Apache Server:
Text
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
﻿
The common name of the Apache server certificate should match the domain name of the virtual host it is configured for.
4 | Create a self-signed root certificate authority (CA)
A self-signed root certificate authority (CA) is being used here for demonstration purposes. In a production environment, a secure certificate authority (such as the ) should be used for all private key generation and certificate signing operations.
Run the following commands in a terminal to generate a root private key and self-signed certificate. You use this certificate to sign the Apache Server certificate in the next section.
Text
openssl genrsa -out ssl-ca-privatekey.pem 2048
openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
openssl genrsa -out ssl-ca-privatekey.pem 2048
openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
﻿
5 | Sign the Apache Server CSR
In a terminal, run the following command to issue a signed Apache Server certificate by using the self-signed root CA created in the previous step:
Text
openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem
openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem
﻿
6 | Configure Apache to use the signed certificate and the private key stored in ﻿
This section covers how to modify the configuration file for a virtual host that is running in Apache. Configuring a virtual host is outside the scope of this guide. Please reference the following documentation specific to your operating system, if you do not already have a virtual host configured.
1
In a text editor, open the configuration file for the virtual host you want to configure HTTPS for and modify it as shown below.
The location of the configuration file will specific to your system.
Text
<IfModule mod_ssl.c> 
    <VirtualHost _default_:443> 
        ServerAdmin webmaster@localhost 
   ServerName myserver.local 
   DocumentRoot /var/www/myserver.local 
   ErrorLog ${APACHE_LOG_DIR}/error.log 
   CustomLog ${APACHE_LOG_DIR}/access.log combined 
   SSLEngine on 
   SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem 
   SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private" 
   <FilesMatch "\.(?:cgi|shtml|phtml|php)$"> 
       SSLOptions +StdEnvVars 
   </FilesMatch> 
   <Directory /usr/lib/cgi-bin> 
       SSLOptions +StdEnvVars 
   </Directory> 
    </VirtualHost> 
</IfModule>
<IfModule mod_ssl.c> 
    <VirtualHost _default_:443> 
        ServerAdmin webmaster@localhost 
   ServerName myserver.local 
   DocumentRoot /var/www/myserver.local 
   ErrorLog ${APACHE_LOG_DIR}/error.log 
   CustomLog ${APACHE_LOG_DIR}/access.log combined 
   SSLEngine on 
   SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem 
   SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private" 
   <FilesMatch "\.(?:cgi|shtml|phtml|php)$"> 
       SSLOptions +StdEnvVars 
   </FilesMatch> 
   <Directory /usr/lib/cgi-bin> 
       SSLOptions +StdEnvVars 
   </Directory> 
    </VirtualHost> 
</IfModule>
﻿
The location of the signed Apache certificate specified in the SSLCertificateFile define needs to be modified according to where it is stored on your system.
The object name of the Apache private key specified in the SSLCertificateKeyFile define needs to match the label that was set in the pkcs11-tool command.
2
Restart Apache to save and apply the configuration.
7 | Create a client certificate for the browser that connects to Apache HTTP Server
This step is only required if you want to use mutual authentication.
1
In a terminal, generate a client key pair with the following command:
Text
openssl genrsa -out ssl-client-privatekey.pem 2048
openssl genrsa -out ssl-client-privatekey.pem 2048
﻿
2
Create a client certificate signing request:
Text
openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
﻿
3
Sign the CSR with the CA certificate:
Text
openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
﻿
4
Convert the signed client certificate to PKCS #12 format for insertion into the browser:
Text
openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
﻿
8 | Confirm that Apache is using the TLS certificate and private key stored in  for HTTPS connections
If a client certificate was not created for mutual authentication in the previous section, skip to the next step below.
The following steps were completed using a Firefox web browser. There may be some differences in the actions taken when using a different browser, but the overall intent of the process will be the same.
1
In Firefox, go to Settings > Privacy & Security > Certificates and select [ View Certificates ]
2
Under the Your Certificates tab, select [ Import ] to import the client certificate converted to PKCS #12 (i.e., ssl-client-pkcs12.p12).
3
Under the Authorities tab, select [ Import ] to import the CA certificate (such as ssl-ca-cert.pem).
4
Go to the IP address from which Apache is running over HTTPS.
If a client certificate was configured in the browser for mutual authentication, you should see a lock icon next to the web address. If a client certificate was not configured, bypass the warning and connect to the website anyway.
5
View the certificate that the website served to the browser and confirm that it is the certificate that was configured in Apache.
﻿
﻿
﻿
﻿
﻿
﻿
Install and configure OpenSSL Engine
Futurex Transparent Data Protection (TDP)
Configure Apache HTTP Server

1 | Set FXPKCS11 environment variables

2 | Generate a keypair on the using pkcs11-tool

3 | Generate a Certificate Signing Request (CSR) using the Apache Server private key

4 | Create a self-signed root certificate authority (CA)

5 | Sign the Apache Server CSR

6 | Configure Apache to use the signed certificate and the private key stored in ﻿

7 | Create a client certificate for the browser that connects to Apache HTTP Server

8 | Confirm that Apache is using the TLS certificate and private key stored in for HTTPS connections

6 | Configure Apache to use the signed certificate and the private key stored in
