Configure Apache HTTP Server

to configure the apache http server, you need to perform the following tasks set fxpkcs11 environment variables create a key pair on the {{vectera}} with pkcs11 tool generate a certificate signing request (csr) by using the apache server private key create a self signed root certificate authority (ca) sign the apache server csr configure apache to use the signed certificate and the private key stored on the {{vectera}} (optional) create a client certificate for the browser that connects to apache http server confirm that apache uses the new tls certificate and private key (stored on the {{vectera}} ) for https connections the following sections provide the steps to perform these tasks 1 | set fxpkcs11 environment variables in a terminal, run the following sequence of commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; be sure to modify the file path to match the location where the libfxpkcs11 so and fxpkcs11 cfg files are stored on your system 2 | create a key pair on the vectera plus with pkcs11 tool in a terminal, run the following command to create a new key pair on the {{vectera}} with pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type ec\ prime256v1 label "apache ecc privatekey" id "123456" currently, apache has a bug that prevents rsa certificates from being served correctly to the browser this bug might be fixed, but we recommend that you create and use an ecc certificate, as demonstrated in the code example enter the password of the identity configured in fxpkcs11 cfg when prompted for your pin if the command succeeds, the output includes the keys, as shown in the following output sample key pair generated private key object; ec label apache ecc privatekey id 123456 usage sign public key object; ec ec point 256 bits ec point 04410455ff9a32b8c9734cc2d37825a009916 abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd ec params 06082a8648ce3d030107 label apache ecc privatekey id 123456 usage verify one private ecc 256 bit key was created with asymmetric sign usage, and one public ecc 256 bit key was created with verify usage 3 | generate a csr by using the apache server private key before completing the steps in this section, create a directory to store the tls certificates that will be created, and go to that directory then, perform the following process to create a csr in a terminal, run the following command to generate a csr using the private key that you created on the {{vectera}} for apache server sudo openssl req new engine pkcs11 keyform engine key "pkcs11\ object=apache ecc privatekey" out apache cert req pem the common name for the apache server certificate should match the domain name of the virtual host that uses it 4 | create a self signed root ca we use a self signed root ca in this section for demonstration purposes in a production environment, you should use a secure certificate authority (such as the {{k3}} ) for all private key generation and certificate signing operations perform the following process to create a ca in a terminal, run the following sequence of commands to generate a root private key and self signed certificate this certificate signs the apache server certificate in the next section sudo openssl genrsa out ssl ca privatekey pem 2048 sudo openssl req new x509 key ssl ca privatekey pem out ssl ca cert pem days 365 5 | sign the apache server csr in a terminal, run the following command to issue a signed apache server certificate by using the self signed root ca created in the previous step sudo openssl x509 req in apache cert req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out signed apache cert pem 6 | configure apache to use the signed certificate and the private key stored on the vectera plus this section shows how to modify the configuration file for a virtual host that runs in apache configuring a virtual host is outside of the scope of this guide refer to this documentation specific to your operating system if you have not already configured a virtual host in a text editor, open the configuration file for the virtual host for which you want to configure https the location of the configuration file is specific to your system modify the file as shown in the following example \<ifmodule mod ssl c> \<virtualhost default 443> serveradmin webmaster\@localhost servername myserver local documentroot /var/www/myserver local errorlog ${apache log dir}/error log customlog ${apache log dir}/access log combined sslengine on sslcertificatefile /etc/apache2/ssl/signed apache cert pem sslcertificatekeyfile "pkcs11\ object=apache ecc privatekey;type=private" \<filesmatch "\\ (?\ cgi|shtml|phtml|php)$"> ssloptions +stdenvvars \</filesmatch> \<directory /usr/lib/cgi bin> ssloptions +stdenvvars \</directory> \</virtualhost> \</ifmodule> you must modify the location of the signed apache certificate specified in the sslcertificatefile define according to where it is stored on your system you must modify the object name of the apache private key specified in the sslcertificatekeyfile define so it matches the label set in the pkcs11 tool command restart apache to save and apply the configuration 7 | (optional) create a client certificate for the browser that connects to apache http server complete this step only if you want to use mutual authentication in a terminal, generate a client keypair by using the following command sudo openssl genrsa out ssl client privatekey pem 2048 run the following command to create a client certificate signing request sudo openssl req new key ssl client privatekey pem out ssl client req pem days 365 run the following command to sign the csr with the ca certificate created earlier in this section sudo openssl x509 req in ssl client req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out ssl client cert pem run the following command to convert the signed client certificate to pkcs #12 format for insertion into the browser sudo openssl pkcs12 inkey ssl client privatekey pem in ssl client cert pem cafile ssl ca cert pem export out ssl client pkcs12 p12 8 | confirm that apache uses the new tls certificate and private key (stored on the vectera plus) for https connections if you did not create a client certificate for mutual authentication in the previous section, start at step 4 of the following procedure the following steps assume you are using a firefox web browser some actions might have different results when using other browsers, but the overall experience is the same in firefox, go to settings > privacy & security > certificates and then select \[ view certificates ] on the your certificates tab, select \[ import ] to import the client certificate that was converted to pkcs #12 (such as ssl client pkcs12 p12 ) on the authorities tab, select \[ import ] to import the ca certificate (such as ssl ca cert pem ) go to the ip address from which apache is running over https if you configured a client certificate in the browser for mutual authentication, you should see a lock icon next to the web address if you did not configure a client certificate, bypass the warning that displays and connect to the website anyway view the certificate that the website served to the browser and confirm that it is the certificate configured in apache