Data protection
Apache HTTP Server
Configure Apache HTTP Server
11 min
to configure the apache http server, you need to perform the following tasks set fxpkcs11 environment variables create a key pair on the {{k3}} with pkcs11 tool generate a csr by using the apache server private key create a self signed root certificate authority (ca) sign the apache server csr configure apache to use the signed certificate and the private key stored on the {{k3}} (optional) create a client certificate for the browser that connects to the apache http server confirm that apache uses the new tls certificate and private key (stored on the {{k}} ) for https connections the following sections provide the steps to perform these tasks set fxpkcs11 environment variables in a terminal, run the following sequence of commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; create a key pair perform the following steps to create a key pair on the {{k3}} with pkcs11 tool in a terminal, run the following command to create a new key pair on the {{k3}} with pkcs11 tool sudo pkcs11 tool module $fxpkcs11 module login keypairgen key type ec\ prime256v1 label "apache ecc privatekey" id "123456" currently, apache has a bug that prevents rsa certificates from being served correctly to the browser this bug might be fixed, but we recommend that you create and use an ecc certificate as demonstrated in the code example enter the password of the identity configured in fxpkcs11 cfg when prompted for the user pin if the command succeeds, the output includes the keys (a private ecc 256 bit key with asymmetric sign usage and a public ecc 256 bit key with verify usage), as shown in the following output sample key pair generated private key object; ec label apache ecc privatekey id 123456 usage sign public key object; ec ec point 256 bits ec point 04410455ff9a32b8c9734cc2d37825a009916 abf09f053e3b6b1a2c4ce2e0f87fa2a2a76b4bf82b3fce388c4804c3d031cc343006ef6ff80acf6bd72ae2044d1be5efd ec params 06082a8648ce3d030107 label apache ecc privatekey id 123456 usage verify in the {{k}} application interface, you can view a new asymmetric key group (using the value specified with the \<asym keygroup name> tag in fxpkcs11 cfg ), and the key group includes a key pair with the name specified in the preceding pkcs11 tool command generate a csr before completing the steps in this section, create a directory to store the new tls certificates and go to that directory then, perform the following process to create a csr by using the apache server private key in a terminal, run the following command to generate a csr by using the private key that you created on the {{k3}} for apache server sudo openssl req new engine pkcs11 keyform engine key "pkcs11\ object=apache ecc privatekey" out apache cert req pem the common name for the apache server certificate should match the domain name of the virtual host that uses it create a self signed root ca this section uses a self signed root certificate authority (ca) for demonstration purposes in a production environment, you should use a secure certificate authority (such as the {{k3}} ) for all private key generation and certificate signing operations in a terminal, run the following sequence of commands to generate a root private key and self signed certificate this certificate signs the apache server certificate in the next section sudo openssl genrsa out ssl ca privatekey pem 2048 sudo openssl req new x509 key ssl ca privatekey pem out ssl ca cert pem days 365 sign the csr in a terminal, run the following command to issue a signed apache server certificate by using the self signed root ca created in the previous step sudo openssl x509 req in apache cert req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out signed apache cert pem configure apache this section explains how to modify the configuration file for a virtual host running in apache configuring a virtual host is outside of the scope of this guide refer to the following documentation ( www digitalocean com/community/tutorial collections/how to install apache http //www digitalocean com/community/tutorial collections/how to install apache ) specific to your operating system if you have not already configured a virtual host perform the following steps to configure apache to use the signed certificate and the private key stored on the {{k3}} in a text editor, open the configuration file for the virtual host for which you want to configure https the location of the configuration file varies depending on your system modify the file as shown in the following example \<ifmodule mod ssl c> \<virtualhost default 443> serveradmin webmaster\@localhost servername myserver local documentroot /var/www/myserver local errorlog ${apache log dir}/error log customlog ${apache log dir}/access log combined sslengine on sslcertificatefile /etc/apache2/ssl/signed apache cert pem sslcertificatekeyfile "pkcs11\ object=apache ecc privatekey;type=private" \<filesmatch "\\ (?\ cgi|shtml|phtml|php)$"> ssloptions +stdenvvars \</filesmatch> \<directory /usr/lib/cgi bin> ssloptions +stdenvvars \</directory> \</virtualhost> \</ifmodule> you must modify the location of the signed apache certificate specified in the sslcertificatefile define according to where it is stored on your system you must modify the object name of the apache private key specified in the sslcertificatekeyfile define so it matches the label set in the pkcs11 tool command restart apache to save to apply the modified configuration (optional) create a client certificate complete this step only if you want to use mutual authentication perform the following steps to create a client certificate for the browser that connects to apache http server in a terminal, generate a client key pair by using the following command sudo openssl genrsa out ssl client privatekey pem 2048 run the following command to create a client certificate signing request sudo openssl req new key ssl client privatekey pem out ssl client req pem days 365 run the following command to sign the csr with the ca certificate created earlier in this section sudo openssl x509 req in ssl client req pem ca ssl ca cert pem cakey ssl ca privatekey pem cacreateserial days 365 out ssl client cert pem run the following command to convert the signed client certificate to pkcs #12 format for insertion into the browser sudo openssl pkcs12 inkey ssl client privatekey pem in ssl client cert pem cafile ssl ca cert pem export out ssl client pkcs12 p12 confirm apache configuration if you did not create a client certificate for mutual authentication in the previous section, start at step 4 of the following procedure the following steps assume you are using the firefox web browser some actions might yield different results when using other browsers, but the overall experience is the same perform the following steps to confirm that apache uses the new tls certificate and private key (stored on the {{k}} ) for https connections in firefox, select settings > privacy & security > certificates and then select \[ view certificates ] on the your certificates tab, select \[ import ] to import the client certificate that was converted to pkcs #12 ( ssl client pkcs12 p12 ) on the authorities tab, select \[ import ] to import the ca certificate ( ssl ca cert pem ) to the ip address from which apache is running over https if you configured a client certificate in the browser for mutual authentication, you should see a lock icon next to the web address if you did not configure a client certificate, bypass the warning that displays and connect to the website anyway view the certificate that the website served to the browser and confirm that it is the certificate configured in apache