You can configure Apache httpd to use NetHSM via the OpenSSL engine which then uses NetHSM’s PKCS#11 module.

The certificate file has to be on the disk but the private key can be used from the NetHSM.

A full example is available below.

OpenSSL Configuration#

Set up the OpenSSL engine by following the OpenSSL Engine setup guide. (OpenSSL Providers aren’t supported yet by Apache httpd.)

Httpd Configuration#

Add the following lines to your httpd.conf :

Listen 443
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:443>
    DocumentRoot /usr/local/apache2/htdocs
    SSLEngine on
    SSLCertificateFile /certs/certificate.pem
    SSLCertificateKeyFile "pkcs11:object=webserver"
    ErrorLog /tmp/a-error.log
    CustomLog /tmp/a-access.log combined

The SSLCertificateFile must point to a certificate file on the disk.

The SSLCertificateKeyFile should be a PKCS#11 URI pointing to the private key in the NetHSM.


You must generate the certificate separately and then upload it to the NetHSM. If the certificate on disk and the key in the NetHSM don’t match httpd won’t start.

libnethsm_pkcs11 Configuration#

  - label: LocalHSM
    description: Local HSM (docker)
    url: ""
      username: "operator"
      password: "opPassphrase"

To secure the password you can provide it via an environment variable (see Setup) or provide it in the httpd configuration:

SSLCertificateKeyFile "pkcs11:object=webserver;type=private;pin=opPassphrase";


If you want to experiment with the given example use git to clone the nethsm-pkcs11 repository and run the following commands:


Running the generate script deletes the webserver key and replaces it.

  1. Configure a NetHSM, either a real one or a container. See the getting-started guide for more information. Besides an administrator, you are going to need an operator account.

  2. Download and install the latest version of the nethsm-pkcs11 driver available from here.

  3. Install the OpenSSL PKCS11 engine as described in the OpenSSL Manual. You do not need to create a configuration file.

  4. Adjust the variables HOST, ADMIN_ACCOUNT and ADMIN_ACCOUNT_PWD in container/apache/generate.sh such that HOST contains your NetHSMs URL and port, ADMIN_ACCOUNT contains an administrator accounts username and ADMIN_ACCOUNT_PWD the corresponding password. Further configure the absolute path of the OpenSSL PKCS11 engine in OPENSSL_PKCS11_ENGINE_PATH and the absolute path of the NetHSM PKCS11 library in NETHSM_PKCS11_LIBRARY_PATH.

  5. Create a NetHSM PKCS11 configuration file in one of the known locations, e.g., /etc/nitrokey/p11nethsm.conf. It must have configured an operator account and use the same NetHSM instance specified in the generate script before.

  6. Update the PKCS11 configuration in container/apache/p11nethsm.conf with your NetHSMs URL and valid operator credentials.

  7. Generate the certificate and key.

  1. Build the container.

docker build -f container/apache/Dockerfile . -t pkcs-httpd
  1. Run the container.

docker run -p 9443:443 -p 9080:80 pkcs-httpd

The Apache test page will be available at https://localhost:9443/. Note that your browser, hopefully, will warn you that the websites certificate is self-signed.