https://issues.apache.org/bugzilla/show_bug.cgi?id=52473
Bug #: 52473
Summary: Patch to integrate apache server with OpenSSL generic
PKCS#11 engine.
Product: Apache httpd-2
Version: 2.2.2
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: [email protected]
ReportedBy: [email protected]
Classification: Unclassified
This patch integrates apache with OpenSSL generic PKCS#11 engine.
After compiling apache with this patch you can connect to apache server with
SSL using HSM that holds the Private RSA and Certificate instead of holding
them in pem files.
In order to work with this ptach you need to configure the following:
1.Edit OpenSSL.cnf (default place is /etc/ssl/openssl.cnf)
dynamic_path – the path to the generic engine_pkcs11.so
MODULE_PATH – the path to the HSM PKCS#11 so
2.Edit the apache ssl.cnf that is usually placed in
$apache/mods-enabled/ssl.cnf
when $apache is the directory where apache is installed
SSLCryptoDevice pkcs11
SSLCertificateFile slot_1-id_313323334
SSLCertificateFile has the folowing format slot_num-id_name
when num is the number of the slot and name is the id in hex of the private,
public and certificate objects to be used. In the above example
slot_1-id_31323334 means that the ssl needs to work with slot number one and
with Certificate and Private key with ID 1234, (0x31323334).
The changes we made in the mod_ssl were taken from a patch that we found in the
apache bugzilla:
https://issues.apache.org/bugzilla/show_bug.cgi?id=42687
We found out that this patch works well with our HSM (ARX PrivateServer -
http://arx.com/products/private-server-hsm). We would like to insert it in to
the open source code.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
