Configure Apache HTTP Server

10min
To configure the Apache HTTP Server, you need to perform the following tasks:
Set FXPKCS11 environment variables.
Create a key pair on the  with pkcs11-tool.
Generate a Certificate Signing Request (CSR) by using the Apache Server private key.
Create a self-signed root certificate authority (CA).
Sign the Apache Server CSR.
Configure Apache to use the signed certificate and the private key stored on the .
(Optional) Create a client certificate for the browser that connects to Apache HTTP Server.
Confirm that Apache uses the new TLS Certificate and private key (stored on the ) for HTTPS connections.
The following sections provide the steps to perform these tasks.
1 | Set FXPKCS11 environment variables
1
In a terminal, run the following sequence of commands to set the required FXPKCS11 environment variables:
Shell
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
export FXPKCS11_MODULE=/path/to/libfxpkcs11.so;
export FXPKCS11_CFG=/path/to/fxpkcs11.cfg;
﻿
Be sure to modify the file path to match the location where the libfxpkcs11.so and fxpkcs11.cfg files are stored on your system.
2 | Create a Key Pair on the Vectera Plus with pkcs11-tool
1
In a terminal, run the following command to create a new key pair on the  with pkcs11-tool:
Shell
sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
sudo pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type EC:prime256v1 --label "apache_ecc_privatekey" --id "123456"
﻿
Currently, Apache has a bug that prevents RSA certificates from being served correctly to the browser. This bug might be fixed, but we recommend that you create and use an ECC certificate, as demonstrated in the code example.
2
Enter the password of the identity configured in fxpkcs11.cfg when prompted for your PIN. 
If the command succeeds, the output includes the keys, as shown in the following output sample:
Text
Key pair generated:
Private Key Object; EC
label: apache_ecc_privatekey
ID: 123456
Usage: sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410455ff9a32b8c9734cc2d37825a009916-
abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd
EC_PARAMS: 06082a8648ce3d030107
label: apache_ecc_privatekey
ID: 123456
Usage: verify
Key pair generated:
Private Key Object; EC
label: apache_ecc_privatekey
ID: 123456
Usage: sign
Public Key Object; EC EC_POINT 256 bits
EC_POINT: 04410455ff9a32b8c9734cc2d37825a009916-
abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd
EC_PARAMS: 06082a8648ce3d030107
label: apache_ecc_privatekey
ID: 123456
Usage: verify
﻿
One private ECC 256-bit key was created with asymmetric-sign usage, and one public ECC 256-bit key was created with verify usage.
3 | Generate a CSR by using the Apache Server private key
Before completing the steps in this section, create a directory to store the TLS certificates that will be created, and go to that directory. Then, perform the following process to create a CSR:
1
In a terminal, run the following command to generate a CSR using the private key that you created on the  for Apache Server:
Shell
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
sudo openssl req -new -engine pkcs11 -keyform engine -key "pkcs11:object=apache_ecc_privatekey" -out apache-cert-req.pem
﻿
The common name for the Apache server certificate should match the domain name of the virtual host that uses it.
4 | Create a self-signed root CA
We use a self-signed root CA in this section for demonstration purposes. In a production environment, you should use a secure certificate authority (such as the ) for all private key generation and certificate signing operations.
Perform the following process to create a CA:
1
In a terminal, run the following sequence of commands to generate a root private key and self-signed certificate. This certificate signs the Apache Server certificate in the next section.
Shell
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048
sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
sudo openssl genrsa -out ssl-ca-privatekey.pem 2048
sudo openssl req -new -x509 -key ssl-ca-privatekey.pem -out ssl-ca-cert.pem -days 365
﻿
5 | Sign the Apache Server CSR
1
In a terminal, run the following command to issue a signed Apache Server certificate by using the self-signed root CA created in the previous step:
Shell
sudo openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem
sudo openssl x509 -req -in apache-cert-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out signed-apache-cert.pem
﻿
6 | Configure Apache to use the signed certificate and the private key stored on the Vectera Plus
This section shows how to modify the configuration file for a virtual host that runs in Apache. Configuring a virtual host is outside of the scope of this guide. Refer to this documentation specific to your operating system if you have not already configured a virtual host.
1
In a text editor, open the configuration file for the virtual host for which you want to configure HTTPS. The location of the configuration file is specific to your system. Modify the file as shown in the following example:
Text
<IfModule mod_ssl.c>
       <VirtualHost _default_:443>

               ServerAdmin webmaster@localhost
               ServerName myserver.local
               DocumentRoot /var/www/myserver.local
               ErrorLog ${APACHE_LOG_DIR}/error.log
               CustomLog ${APACHE_LOG_DIR}/access.log combined
               SSLEngine on
               SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem
               SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private"

               <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
                               SSLOptions +StdEnvVars
               </FilesMatch>
               <Directory /usr/lib/cgi-bin>
                               SSLOptions +StdEnvVars
               </Directory>
       </VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
       <VirtualHost _default_:443>

               ServerAdmin webmaster@localhost
               ServerName myserver.local
               DocumentRoot /var/www/myserver.local
               ErrorLog ${APACHE_LOG_DIR}/error.log
               CustomLog ${APACHE_LOG_DIR}/access.log combined
               SSLEngine on
               SSLCertificateFile /etc/apache2/ssl/signed-apache-cert.pem
               SSLCertificateKeyFile "pkcs11:object=apache_ecc_privatekey;type=private"

               <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
                               SSLOptions +StdEnvVars
               </FilesMatch>
               <Directory /usr/lib/cgi-bin>
                               SSLOptions +StdEnvVars
               </Directory>
       </VirtualHost>
</IfModule>
﻿
You must modify the location of the signed Apache certificate specified in the SSLCertificateFiledefine according to where it is stored on your system.
You must modify the object name of the Apache private key specified in the SSLCertificateKeyFile define so it matches the label set in the pkcs11-tool command.
2
Restart Apache to save and apply the configuration.
7 | (Optional) Create a client certificate for the browser that connects to Apache HTTP Server
Complete this step only if you want to use mutual authentication.
1
In a terminal, generate a client keypair by using the following command:
Shell
sudo openssl genrsa -out ssl-client-privatekey.pem 2048
sudo openssl genrsa -out ssl-client-privatekey.pem 2048
﻿
2
Run the following command to create a client certificate signing request:
Shell
sudo openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
sudo openssl req -new -key ssl-client-privatekey.pem -out ssl-client-req.pem -days 365
﻿
3
Run the following command to sign the CSR with the CA certificate created earlier in this section:
Shell
sudo openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
sudo openssl x509 -req -in ssl-client-req.pem -CA ssl-ca-cert.pem -CAkey ssl-ca-privatekey.pem -CAcreateserial -days 365 -out ssl-client-cert.pem
﻿
4
Run the following command to convert the signed client certificate to PKCS #12 format for insertion into the browser:
Shell
sudo openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
sudo openssl pkcs12 -inkey ssl-client-privatekey.pem -in ssl-client-cert.pem -CAfile ssl-ca-cert.pem -export -out ssl-client-pkcs12.p12
﻿
8 | Confirm that Apache uses the new TLS certificate and private key (stored on the Vectera Plus) for HTTPS connections
If you did not create a client certificate for mutual authentication in the previous section, start at step 4 of the following procedure.
The following steps assume you are using a Firefox web browser. Some actions might have different results when using other browsers, but the overall experience is the same.
1
In Firefox, go to Settings > Privacy & Security > Certificates and then select [ View Certificates ].
2
On the Your Certificates tab, select [ Import ] to import the client certificate that was converted to PKCS #12 (such as ssl-client-pkcs12.p12).
3
On the Authorities tab, select [ Import ] to import the CA certificate (such as ssl-ca-cert.pem).
4
Go to the IP address from which Apache is running over HTTPS.
If you configured a client certificate in the browser for mutual authentication, you should see a lock icon next to the web address. If you did not configure a client certificate, bypass the warning that displays and connect to the website anyway.
5
View the certificate that the website served to the browser and confirm that it is the certificate configured in Apache.
﻿
Updated 28 Aug 2024
Did this page help you?
Install and configure OpenSSL engine
NGINX