Hello, I'd like to start a discussion about Hardware Security Module (HSM) support for mod_ssl. You may know that OpenSSL supports different HW engines. There is also support for PKCS#11 devices, a standard for communication with crypto devices - e.g. HSMs or Smartcards. Some HSM vendors support mod_ssl and their HSM with a modified OpenSSL/mod_ssl version. But support is limited to 1.3.X versions of Apache as far as we know. There seems to be no standard interface for mod_ssl with HSM support for private key protection and operations. We decided to extend mod_ssl for usage with an HSM. We have a first prototype ("prealpha") with limited functionality now.
The limitations: - Supports only one virtual host - Supports no keys from files at the moment - Loads HSM PIN from the OpenSSL.cnf file (No handler implemented at the moment) - Certificate comes from file (not really a limitation...) What it does: - Private key is no longer in a file, it's in the secure HSM store - Private key operations are processed on the HSM The HSM configuration happens in the OpenSSL.cnf file. In httpd_ssl.conf we introduced two additional parameters. Path to the OpenSSL config (Module global): SSLEngineConfig C:/Apache22/conf/openssl.cnf Reference describing the private key (Per virtual host): SSLCertificateKeyReference pkcs11#slot_0-id_65A0A10FFCE5B514CC228640C85373BB92C2DCD4 The reference descriptor has the following format: <engineName>#<keyIdentifier> <engineName> refers to the engine defined in openssl.cnf. The <keyIdentifier> part depends on the engine referred before. This two chunks are separated with '#'. In the sample above we address a PKCS#11 device and use the private key with id 65A0A10FFCE5B514CC228640C85373BB92C2DCD4 on slot 0. A sample file of the OpenSSL config is attached at the end of this post. Is it of interest to add HSM support to mod_ssl for private key protection in further versions of mod_ssl? Is there already an intention to implement this? If it is of interest and there are no plans to implement support, it would be great to have a discussion here how to do that. Kind regards Dan OpenSSL config file: # PKCS11 engine config################################################## openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = "C:\\Apache22\\bin\\engine_pkcs11.dll" MODULE_PATH = "C:\\Programme\\Eracom\\ProtectToolkit C SDK\\bin\\hsm\\cryptoki.dll" PIN = "11223344" init = 0