Apache HTTP Server

Securosys HSM Integration Guide - PKCS #11

The following example shows how to set up Apache HTTP Server to work with the OpenSSLv3 pkcs11-provider.

Preparation and Prerequisites

1. Make sure that Primus HSM PKCS#11 Provider is installed in your system following the instructions here.

Confirm the successful installation of the Primus HSM PKCS#11 Provider.

ppin -t

After successful installation of the Primus HSM PKCS#11 Provider in your system you should be able to see the following output:

Load config file: '/etc/primus/primus.cfg'

hsm0: Connect to 'grimsel.securosys.ch' on port 2410, firmware: RX-3.1.0-T
  slot0 (id=0), user=<your partition name>: OK

Number of tested HSMs: 1 (number of partitions: 1)
Number of failures: 0

2. Make sure that the Securosys OpenSSL pkcs11-provider is installed on your system, as it is described on the Quickstart.
3. Make sure that your openssl version is aligned with the Prerequisites.
4. Install apache2 Version 2.4.62(and latest) on your system.
5. Configure your OpenSSL

Click to expand!

HOME            = .

# Use this in order to automatically load providers.
openssl_conf = openssl_init

# Comment out the next line to ignore configuration errors
config_diagnostics = 1

oid_section = new_oids

[ new_oids ]

[openssl_init]
providers = provider_sect

[random_sect]
random = PKCS11-RAND

[provider_sect]
default = default_sect
base = base_sect
pkcs11 = pkcs11_section

[base_sect]
activate = 1

[default_sect]
activate = 1

[pkcs11_section]
module = /opt/openssl-3.3.2/lib/ossl-modules/pkcs11.so
pkcs11-module-path = /usr/local/primus/lib/libprimusP11.so
pkcs11-module-load-behavior = early
pkcs11-module-quirks = no-deinit no-operation-state
activate = 1

####################################################################
[ ca ]
default_ca    = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir        = ./demoCA        # Where everything is kept
certs      = $dir/certs      # Where the issued certs are kept
crl_dir    = $dir/crl        # Where the issued crl are kept
database   = $dir/index.txt  # database index file.
#unique_subject = no          # Set to 'no' to allow creation of
                             # several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate  = $dir/cacert.pem   # The CA certificate
serial       = $dir/serial       # The current serial number
crlnumber    = $dir/crlnumber    # the current crl number
                                # must be commented out to leave a V1 CRL
crl          = $dir/crl.pem      # The current CRL
private_key  = $dir/private/cakey.pem # The private key

x509_extensions = usr_cert    # The extensions to add to the cert

name_opt    = ca_default      # Subject Name options
cert_opt    = ca_default      # Certificate field options

default_days    = 365          # how long to certify for
default_crl_days= 30           # how long before next CRL
default_md      = default      # use public key default MD
preserve        = no           # keep passed DN ordering

policy      = policy_match

# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

####################################################################
[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca   # The extensions to add to the self-signed cert

string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName            = Country Name (2 letter code)
countryName_default    = AU
countryName_min        = 2
countryName_max        = 2

stateOrProvinceName    = State or Province Name (full name)
stateOrProvinceName_default = Some-State

localityName           = Locality Name (eg, city)

0.organizationName     = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd

organizationalUnitName     = Organizational Unit Name (eg, section)
#organizationalUnitName_default =

commonName           = Common Name (e.g. server FQDN or YOUR name)
commonName_max       = 64

emailAddress         = Email Address
emailAddress_max     = 64

# SET-ex3           = SET extension number 3

[ req_attributes ]
challengePassword        = A challenge password
challengePassword_min    = 4
challengePassword_max    = 20

unstructuredName         = An optional company name

[ usr_cert ]

basicConstraints=CA:FALSE

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ v3_req ]

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]

# Extensions for a typical CA

# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true

note

If you haven't installed natively openssl, you might need to configure the below environment variables:

LD_LIBRARY_PATH=path to the OpenSSL libraries
OPENSSL_DIR=path to the installation directory for OpenSSL