You can configure Apache httpd to use NetHSM via the OpenSSL engine which then uses NetHSM’s PKCS#11 module.
The certificate file has to be on the disk but the private key can be used from the NetHSM.
A full example is available below.
Set up the OpenSSL engine by following the OpenSSL Engine setup guide. (OpenSSL Providers aren’t supported yet by Apache httpd.)
Add the following lines to your
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
CustomLog /tmp/a-access.log combined
SSLCertificateFile must point to a certificate file on the disk.
SSLCertificateKeyFile should be a PKCS#11 URI pointing to the private key in the NetHSM.
You must generate the certificate separately and then upload it to the NetHSM. If the certificate on disk and the key in the NetHSM don’t match httpd won’t start.
- label: LocalHSM
description: Local HSM (docker)
To secure the password you can provide it via an environment variable (see Setup) or provide it in the httpd configuration:
Running the generate script deletes the
webserver key and replaces it.
Configure a NetHSM, either a real one or a container. See the getting-started guide for more information. Besides an administrator, you are going to need an operator account.
Download and install the latest version of the nethsm-pkcs11 driver available from here.
Install the OpenSSL PKCS11 engine as described in the OpenSSL Manual. You do not need to create a configuration file.
Adjust the variables
HOSTcontains your NetHSMs URL and port,
ADMIN_ACCOUNTcontains an administrator accounts username and
ADMIN_ACCOUNT_PWDthe corresponding password. Further configure the absolute path of the OpenSSL PKCS11 engine in
OPENSSL_PKCS11_ENGINE_PATHand the absolute path of the NetHSM PKCS11 library in
Create a NetHSM PKCS11 configuration file in one of the known locations, e.g.,
/etc/nitrokey/p11nethsm.conf. It must have configured an operator account and use the same NetHSM instance specified in the generate script before.
Update the PKCS11 configuration in
container/apache/p11nethsm.confwith your NetHSMs URL and valid operator credentials.
Generate the certificate and key.
Build the container.
docker build -f container/apache/Dockerfile . -t pkcs-httpd
Run the container.
docker run -p 9443:443 -p 9080:80 pkcs-httpd
The Apache test page will be available at https://localhost:9443/. Note that your browser, hopefully, will warn you that the websites certificate is self-signed.