Integrating Apache with PKCS#11 device via engine_pkcs11 and OpenSSL

Question

I have problem with mod_ssl exactly with SSLCryptoDevice directive. When I run command "openssl engine" returns all available engines including pkcs11 (libengine-pkcs11-openssl), but When I set SSLCryptoDevice pkcs11 in mod_ssl configuration and I try to start Apache, returns error "SSLCryptoDevice: Invalid argument; must be one of:" but now engine pkcs11 isn't listed. In openssl works well.

Some system info: Debian 8 x64, OpenSSL 1.0.1k, Apache 2.4.10

Apache start error: http://pastebin.com/b4GLaSHL

OpenSSL engines: http://pastebin.com/kXNYG2Yw

Answer 1

PKCS11 is support in mod_ssl from v2.4.42 onwards.

As an alternative to storing certificates and private keys in files, a certificate identifier can be used to identify a certificate stored in a token. Currently, only PKCS#11 URIs are recognized as certificate identifiers, and can be used in conjunction with the OpenSSL pkcs11 engine. If SSLCertificateKeyFile is omitted, the certificate and private key can be loaded through the single identifier specified with SSLCertificateFile.

An example from http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

# Example use of a certificate and private key from a PKCS#11 token:
SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45"

Answer 2

PKCS#11 support isn't native in mod_ssl. See:

https://bz.apache.org/bugzilla/show_bug.cgi?id=42687

https://bz.apache.org/bugzilla/show_bug.cgi?id=42688

https://bz.apache.org/bugzilla/show_bug.cgi?id=52473

You can try apply this patchs, but these is not suitable for production use.

Another alternative is you use mod_nss.
mod_nss uses NSS as the crypto library instead of OpenSSL and supports PKCS#11.