[rs-commit] r504 - in /rs-manual/trunk/src: main/modules.xml site/resources/images/mod_ca_provider-1.png site/resources/images/mod_ca_provider-2.png site/xhtml5/mod/mod_ca_provider.xhtml5
rs-commit at redwax.eu
rs-commit at redwax.eu
Thu Aug 21 16:12:39 CEST 2025
Author: minfrin at redwax.eu
Date: Thu Aug 21 16:12:38 2025
New Revision: 504
Log:
Add docs for mod_ca_provider.
Added:
rs-manual/trunk/src/site/resources/images/mod_ca_provider-1.png (with props)
rs-manual/trunk/src/site/resources/images/mod_ca_provider-2.png (with props)
rs-manual/trunk/src/site/xhtml5/mod/mod_ca_provider.xhtml5
Modified:
rs-manual/trunk/src/main/modules.xml
Modified: rs-manual/trunk/src/main/modules.xml
==============================================================================
--- rs-manual/trunk/src/main/modules.xml (original)
+++ rs-manual/trunk/src/main/modules.xml Thu Aug 21 16:12:38 2025
@@ -13,5 +13,6 @@
<module type="backend">mod_ca_disk</module>
<module type="backend">mod_ca_engine</module>
<module type="backend">mod_ca_ldap</module>
+ <module type="backend">mod_ca_provider</module>
<module type="backend">mod_ca_simple</module>
</modules>
Added: rs-manual/trunk/src/site/resources/images/mod_ca_provider-1.png
==============================================================================
Binary file - no diff available.
Propchange: rs-manual/trunk/src/site/resources/images/mod_ca_provider-1.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: rs-manual/trunk/src/site/resources/images/mod_ca_provider-2.png
==============================================================================
Binary file - no diff available.
Propchange: rs-manual/trunk/src/site/resources/images/mod_ca_provider-2.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: rs-manual/trunk/src/site/xhtml5/mod/mod_ca_provider.xhtml5
==============================================================================
--- rs-manual/trunk/src/site/xhtml5/mod/mod_ca_provider.xhtml5 (added)
+++ rs-manual/trunk/src/site/xhtml5/mod/mod_ca_provider.xhtml5 Thu Aug 21 16:12:38 2025
@@ -0,0 +1,1164 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
+ <head>
+ <title>mod_ca_engine Module</title>
+ <meta name="description" content="Sign certificates using certificates and keys on a smartcard or HSM using the OpenSSL provider mechanism." />
+ <meta name="mod-ca-type" content="backend" />
+ <link rel="canonical" href="https://redwax.eu/rs/docs/latest/mod/mod_ca_provider.html" />
+ </head>
+ <body>
+
+ <section class="spotlight style2 orient-right content-align-left image-position-left">
+ <div class="content null">
+ <h2>Provider Backend Module</h2>
+ <p>Sign certificates using certificates and keys at a URI using
+ the OpenSSL provider mechanism. The URI could describe a PEM file, a
+ smartcard, or an HSM, or any combination thereof.</p>
+ </div>
+ <div class="image">
+ <img src="../images/candles-lightgreen.jpg" alt="" />
+ </div>
+ </section>
+
+ <div class="none">
+
+ <section class="wrapper style1 align-center"
+ id="introduction">
+ <div class="inner">
+
+ <div class="index align-left">
+
+ <section>
+ <header>
+ <h3>What does it do?</h3>
+ </header>
+ <div class="content">
+
+ <p>This module provides set of signing functions that can be
+ used to sign certificate sign requests backed with the OpenSSL provider
+ mechanism.
+ </p>
+
+ <p>The OpenSSL provider mechanism allows access to certificates and key
+ described by a URI. The default URI scheme is <code>file:</code>,
+ representing the URL of a file on disk.
+ </p>
+
+ <p>
+ Based on the configuration, this module
+ performs signing of an incoming certificate sign request using
+ a certificate and key stored in a PEM file, on an HSM, TPM or smartcard.
+ </p>
+
+ </div>
+ </section>
+
+ <section>
+ <header>
+ <h3>Finding Certificates and Keys</h3>
+ </header>
+ <div class="content">
+
+ <p>The certificate and key used to sign a request can be defined precisely
+ in the URIs for
+ <a href="#directive-CAProviderCertificate">CAProviderCertificate</a> and
+ <a href="#directive-CAProviderKey">CAProviderKey</a>.
+ </p>
+
+ <p>Alternatively, when the URIs are defined broadly to match multiple
+ certificates or keys, this module will choose the best certificate and key
+ found at the corresponding URIs. This allows you to define a generic
+ URI such as <code>pkcs11:</code> and this module will automatically choose
+ the certificate and key based on what is available on the smartcard or HSM.
+ </p>
+
+ <p>To choose the certificate and key, this module performs the following
+ steps.
+ </p>
+
+ <ul>
+ <li>All keys are read from the
+ <a href="#directive-CAProviderKey">CAProviderKey</a> URI.</li>
+ <li>All intermediate certificates are read from the
+ <a href="#directive-CAProviderCertificate">CAProviderCertificate</a>
+ URI, leaf certificates are ignored.</li>
+ <li>Intermediate certificates are matched up with their keys, any
+ certificates without keys, or keys without certificates, are ignored.</li>
+ <li>The most recently issued certificate is chosen for signing.</li>
+ </ul>
+
+ </div>
+ </section>
+
+ </div>
+ </div>
+ </section>
+
+
+
+ <section class="wrapper style1 align-center" id="integration">
+ <div class="inner">
+ <h2>Module Integration</h2>
+ <p>
+ The
+ <code>mod_ca_provider</code>
+ module is a
+ <a href="mod_ca.html#backend">backend module</a>
+ and will not do anything useful until
+ <code>mod_ca_provider</code>
+ has been combined with one or
+ more
+ <a href="mod_ca.html#frontend">frontend modules</a>
+ and optional <a href="mod_ca.html#backend">backend modules</a> listed below. The
+ <code>mod_ca_provider</code>
+ module provides the following hooks, and suitable
+ <a href="mod_ca.html#frontend">frontend modules</a>
+ must be configured to implement each protocol as needed.
+ </p>
+
+ <p>
+ All <a href="mod_ca.html#backend">backend modules</a> run within
+ a standard Apache httpd request, and standard httpd functionality
+ applies in all cases.
+ </p>
+
+ <div>
+ <img src="../images/mod_ca_provider-1.png" style="width: 100%;" />
+ </div>
+
+ <div class="index align-left">
+
+ <section>
+ <header>
+ <h3>
+ <a href="mod_ca.html#ca_sign">Sign Request Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>When this hook is triggered, this module signs the certificate sign
+ request using a certificate available at the URI specified in the
+ <a href="#directive-CAProviderCertificate">CAProviderCertificate</a>
+ directive, and a private key specified at the URI specified in the
+ <a href="#directive-CAProviderKey">CAProviderKey</a>
+ directive. These URIs may point at the same location, or different
+ locations as needed.
+ </p>
+
+ <p>
+ This module provides the following implementations of this hook.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_provider.html#hook-ca_sign_provider">Provider Sign Request</a>
+ </td>
+ <td>Signs the certificate sign request using a key stored in a PEM
+ file, on an HSM or smartcard, described by a URI.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>This hook is called by the following
+ <a href="mod_ca.html#frontend">frontend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_csr.html">mod_csr</a>
+ </td>
+ <td>Generate and issue certificates in response to an X509
+ certificate request.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_pkcs12.html">mod_pkcs12</a>
+ </td>
+ <td>Generate public/private key pairs and and issue certificates in response
+ to a application/x-www-form-urlencoded form request.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_scep.html">mod_scep</a>
+ </td>
+ <td>Generate and issue certificates using the SCEP protocol.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_spkac.html">mod_spkac</a>
+ </td>
+ <td>Generate and issue certificates using the SPKAC protocol.</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ <section>
+ <header>
+ <h3>
+ <a href="mod_ca.html#ca_getchain">Get Chain Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>When this hook is triggered, this module returns the intermediate certificate
+ chain used to sign certificate sign requests, if any and present.
+ </p>
+
+ <p>The intermediate certificate chain is retrieved from the URI pointed
+ to by the
+ <a href="#directive-CAProviderChain">CAProviderChain</a> directive,
+ and may be omitted if no chain exists between the signing certificate
+ and the CA certificate.
+ </p>
+
+ <p>
+ This module provides the following implementations of this hook.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_provider.html#ca_getchain">mod_ca_provider</a>
+ </td>
+ <td>This hook returns the certificate chain of a certificate provided by
+ an OpenSSL provider URI.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>This hook is called by the following
+ <a href="mod_ca.html#backend">backend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_engine.html#hook-ca_sign_engine">mod_ca_engine</a>
+ </td>
+ <td>This hook signs a given certificate sign request using an
+ OpenSSL provided crypto engine such as a smartcard, and
+ including the chain defined by the module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_provider.html#hook-ca_sign_provider">mod_ca_provider</a>
+ </td>
+ <td>This hook signs a given certificate sign request using an
+ OpenSSL provider URI, returning a the chain defined by the module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_simple.html#hook-ca_sign_simple">mod_ca_simple</a>
+ </td>
+ <td>This hook signs a given certificate sign request, returning a the
+ chain defined by the module.
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ <section>
+ <header>
+ <h3>
+ <a href="mod_ca.html#ca_makeserial">Make Serial Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>When this hook is triggered, the
+ <a href="mod_ca.html#ca_sign">Sign Request Hook</a> asks for a serial
+ number to use when signing the certificate.
+ </p>
+ <p>
+ Implementations of this hook are provided by other modules.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_disk.html#hook-ca_makeserial_disk">Make Next Serial From Disk</a>
+ </td>
+ <td>Returns the next serial number from the contents of a file on disk.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_simple.html#hook-ca_makeserial_simple_subject">Simple Make Serial From Subject</a>
+ </td>
+ <td>Returns the serial number from that embedded within the subject of the
+ certificate sign request.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_simple.html#hook-ca_makeserial_simple_random">Simple Make Random Serial</a>
+ </td>
+ <td>Returns a random serial number.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>This hook is called by the following
+ <a href="mod_ca.html#frontend">frontend modules</a> and
+ <a href="mod_ca.html#backend">backend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_engine.html#hook-ca_sign_engine">mod_ca_engine</a>
+ </td>
+ <td>This hook signs a given certificate sign request using an
+ OpenSSL provided crypto engine such as a smartcard, using the
+ serial number returned by this module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_provider.html#hook-ca_sign_provider">mod_ca_provider</a>
+ </td>
+ <td>This hook signs a given certificate sign request using an
+ OpenSSL provider URI, using the serial number returned by this
+ module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_simple.html#hook-ca_sign_simple">mod_ca_simple</a>
+ </td>
+ <td>This hook signs a given certificate sign request, using the
+ serial number returned by this module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_timestamp.html">mod_timestamp</a>
+ </td>
+ <td>Parse and return responses to RFC3161 Time Stamp Protocol requests.</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ <section>
+ <header>
+ <h3>
+ <a href="mod_ca.html#ca_gettime">Get Time Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>When this hook is triggered, the
+ <a href="mod_ca.html#ca_sign">Sign Request Hook</a> asks for the time
+ to use when signing the certificate.</p>
+ <p>
+ Implementations of this hook are provided by other modules.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_simple.html#hook-ca_gettime_simple">mod_ca_simple</a>
+ </td>
+ <td>This hook returns the time to be used to sign a certificate sign
+ request, derived from the system time.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>This hook is called by the following
+ <a href="mod_ca.html#frontend">frontend modules</a> and
+ <a href="mod_ca.html#backend">backend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca_engine.html#hook-ca_sign_engine">mod_ca_engine</a>
+ </td>
+ <td>This hook signs a given certificate sign request using an
+ OpenSSL provided crypto engine such as a smartcard, using the
+ time returned by this module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_provider.html#hook-ca_sign_provider">mod_ca_provider</a>
+ </td>
+ <td>This hook signs a given certificate sign request using an
+ OpenSSL provider URI, using the time returned by this
+ module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_ca_simple.html#hook-ca_sign_simple">mod_ca_simple</a>
+ </td>
+ <td>This hook signs a given certificate sign request, using the
+ time returned by this module.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_timestamp.html">mod_timestamp</a>
+ </td>
+ <td>Parse and return responses to RFC3161 Time Stamp Protocol requests.</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ </div>
+
+ <div>
+ <img src="../images/mod_ca_provider-2.png" style="width: 100%;" />
+ </div>
+
+ <div class="index align-left">
+
+ <section>
+ <header>
+ <h3>
+ <a href="mod_ca.html#ca_getca">Get Certificate Authority Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>When this hook is triggered, this module returns the root CA certificate
+ used to sign certificate sign requests.</p>
+ <p>
+ This module provides the following implementations of this hook.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca.html#ca_getca">Provider Get Certificate Authority</a>
+ </td>
+ <td>Returns the certificate authority certificate used to sign the request.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>This hook is called by the following
+ <a href="mod_ca.html#frontend">frontend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ocsp.html">mod_ocsp</a>
+ </td>
+ <td>Respond with the revocation status of a certificate.</td>
+ </tr>
+ <tr>
+ <td>
+ <a href="mod_scep.html">mod_scep</a>
+ </td>
+ <td>Generate and issue certificates using the SCEP protocol.</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ <section>
+ <header>
+ <h3>
+ <a href="mod_ca.html#ca_getnextca">Get Next Certificate Authority Hook</a>
+ </h3>
+ </header>
+ <div class="content">
+ <p>When this hook is triggered, this module returns the next root CA certificate
+ that will in future be used to sign certificate sign requests.</p>
+ <p>
+ This module provides the following implementations of this hook.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_ca.html#ca_getnextca">Provider Get Next Certificate Authority</a>
+ </td>
+ <td>Returns the next certificate authority certificate that will be used to sign
+ future requests.</td>
+ </tr>
+ </tbody>
+ </table>
+ <p>This hook is called by the following
+ <a href="mod_ca.html#frontend">frontend modules</a>.
+ </p>
+ <table>
+ <tbody>
+ <tr>
+ <td>
+ <a href="mod_scep.html">mod_scep</a>
+ </td>
+ <td>Generate and issue certificates using the SCEP protocol.</td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+ </section>
+
+ </div>
+
+ </div>
+ </section>
+
+
+ <section class="wrapper style1 align-center"
+ id="directive-reference">
+ <div class="inner">
+ <h2>Examples</h2>
+ <div class="index align-left">
+
+ <section>
+ <header>
+ <h3>Basic Example</h3>
+ </header>
+ <div class="content">
+ <p>The simplest case: issue a certificate to anybody who wants one.</p>
+<pre><code><![CDATA[
+# global configuration
+<IfModule mod_ca_provider.c>
+ # accept PKCS11 URIs
+ CAProvider pkcs11
+ # accept file: URIs
+ CAProvider default
+</IfModule>
+
+# backend configuration:
+<IfModule mod_ca_simple.c>
+ # use system clock as the time source
+ CASimpleTime on
+ # assign a random serial number
+ CASimpleSerialRandom on
+</IfModule>
+<IfModule mod_ca_provider.c>
+ # sign with this certificate...
+ CAProviderCertificate file:/etc/pki/tls/signing-cert.pem
+ # ...and private key...
+ CAProviderKey "${KEYURI}"
+ # ...and private key PIN if needed
+ CAProviderPassphrase "${KEYPIN}"
+ # ...and using this CA certificate
+ CAProviderCA file:/etc/pki/tls/ca-cert.pem
+ # add extensions for a typical CA
+ CAProviderExtension basicConstraints CA:FALSE
+ CAProviderExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
+ CAProviderExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
+ CAProviderExtension subjectKeyIdentifier hash
+ CAProviderExtension authorityKeyIdentifier keyid,issuer
+</IfModule>
+
+# frontend configuration:
+<IfModule mod_csr.c>
+ <Location /csr>
+ SetHandler csr
+ # use subject from the certificate sign request unmodified
+ CsrSubjectRequest *
+ </Location>
+</IfModule>
+]]></code></pre>
+ </div>
+ </section>
+
+ </div>
+ </div>
+ </section>
+
+
+ <section class="wrapper style1 align-center"
+ id="hook-reference">
+ <div class="inner">
+ <h2>Hook Implementation Reference</h2>
+ <p>
+ The following backend hook implementations are provided by this module.
+ </p>
+ <div class="index align-left">
+
+ <section id="hook-ca_sign_provider">
+ <header>
+ <h3><a href="mod_ca.html#ca_sign">Provider Sign Request</a></h3>
+ </header>
+ <div class="content">
+ <p>
+ <img class="image right" src="../images/mod_ca_provider-ca_provider_sign.png" />
+ Signs the certificate sign request using a certificate and key stored at a URI.
+ </p>
+
+ <p>
+ Both the <a href="#directive-CAProviderCertificate">CAProviderCertificate</a>
+ directive and the <a href="#directive-CAProviderKey">CAProviderKey</a>
+ directive are needed to enable the hook implementation. In addition, both
+ the <a href="mod_ca.html#ca_makeserial">Make Serial Hook</a> and the
+ <a href="mod_ca.html#ca_gettime">Get Time Hook</a> are called to fill
+ in the serial number and signing time for the certificate.
+ </p>
+
+ <p>
+ Each certificate is signed by default for 365 days. This can be controlled by the
+ <a href="#directive-CAProviderDays">CAProviderDays</a> directive. The
+ <a href="#directive-CAProviderExtension">CAProviderExtension</a> directive
+ allows certificate extensions to be added to the certificate.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="hook-ca_getca_provider">
+ <header>
+ <h3><a href="mod_ca.html#ca_getca">Provider Get Certificate Authority</a></h3>
+ </header>
+ <div class="content">
+
+ <p>
+ <img class="image right" src="../images/mod_ca_provider-ca_provider_getca.png" />
+ Returns the certificate authority certificate used to sign the request.
+ </p>
+
+ <p>
+ The certificate authority certificate(s) are parsed from
+ the URI pointed to by the <a href="#directive-CAProviderCA">CAProviderCA</a>
+ directive and returned when requested.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="hook-ca_getnextca_provider">
+ <header>
+ <h3><a href="mod_ca.html#ca_getnextca">Provider Get Next Certificate Authority</a></h3>
+ </header>
+ <div class="content">
+
+ <p>
+ <img class="image right" src="../images/mod_ca_provider-ca_provider_getnextca.png" />
+ Returns the next certificate authority certificate that will be used to sign
+ future requests.
+ </p>
+
+ <p>
+ The next certificate authority certificate(s) are parsed from
+ the URI pointed to by the
+ <a href="#directive-CAProviderNextCertificate">CAProviderNextCertificate</a>
+ directive and returned when requested.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="hook-ca_getchain_engine">
+ <header>
+ <h3><a href="mod_ca.html#ca_getchain">Provider Get Chain</a></h3>
+ </header>
+ <div class="content">
+
+ <p>
+ <img class="image right" src="../images/mod_ca_provider-ca_provider_getchain.png" />
+ Returns the chain of certificates used to sign the request.
+ </p>
+
+ <p>
+ The certificate chain is parsed from
+ the <a href="#directive-CAProviderChain">CAProviderChain</a>
+ directive(s) and returned when requested.
+ </p>
+
+ </div>
+ </section>
+
+ </div>
+ </div>
+ </section>
+
+
+ <section class="wrapper style1 align-center"
+ id="directive-reference">
+ <div class="inner">
+ <h2>Directive Reference</h2>
+ <div class="index align-left">
+
+ <section id="directive-CAProviderCertificate">
+ <header>
+ <h3>CAProvider<wbr />Certificate Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>URI of the signing certificate(s)</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />Certificate uri [propq]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Set to the URI of the signing certificate(s). An optional property
+ query can be specified as needed.
+ </p>
+
+ <p>When multiple signing certificates are found, all leaf certificates
+ are ignored, as well as all certificates that do not match the
+ private keys defined by
+ <a href="#directive-CAProviderKey">CAProviderKey</a>. Of the
+ remaining certificates, the most recently issued certificate is used
+ for signing.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProviderKey">
+ <header>
+ <h3>CAProvider<wbr />Key Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>Set to the URI of the signing key(s) on the smartcard or HSM.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />Key uri [propq]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Set to the URI of the signing key(s) on the smartcard or HSM.
+ An optional property query can be specified as needed.
+ </p>
+
+ <p>When multiple signing keys are found, keys are matched to all
+ non-leaf certificates defined by
+ <a href="#directive-CAProviderCertificate">CAProviderCertificate</a>.
+ Of the matching signing certificates, the most recently issued
+ certificate is used for signing.
+ </p>
+
+ <p>Examples of URIs include:
+ </p>
+
+<pre><code><![CDATA[
+# backend configuration:
+<IfModule mod_ca_provider.c>
+ CAProviderKey "pkcs11:model=PKCS%2315;manufacturer=EnterSafe;serial=1234567890123456;token=User%20PIN%20%28My%20Token%29;object=Certificate"
+</IfModule>
+]]></code></pre>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProviderChain">
+ <header>
+ <h3>CAProvider<wbr />Chain Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>URI of the chain certificate(s), if any.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />Chain uri [propq]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Set to the URI of the chain certificate(s). Can be specified more
+ than once. An optional property query can be specified as needed.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProviderCA">
+ <header>
+ <h3>CAProvider<wbr />CA Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>URI of the CA certificate, if any.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />CA uri [propq]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Set to the URI of the CA certificate. Can be specified more
+ than once. An optional property query can be specified as needed.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProviderNextCA">
+ <header>
+ <h3>CAProvider<wbr />NextCA Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>URI of the next CA certificate to follow this one, if any.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />NextCA uri [propq]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Set to the URI of the next CA certificate to follow this
+ one, if any. Can be specified more than once. An optional property
+ query can be specified as needed.
+ </p>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProviderDays">
+ <header>
+ <h3>CAProvider<wbr />Days Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>Set to the number of days the certificate must be signed for.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />Days days</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>CAProvider<wbr />Days 365</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Set to the number of days the certificate must be signed for.</p>
+
+ <p>Defaults to 365 days.</p>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProviderExtension">
+ <header>
+ <h3>CAProvider<wbr />Extension Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>Certificate extension to add to the certificate when signed.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr />Extension string</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Certificate extension to add to the certificate when signed.
+ </p>
+
+ <p>Examples of certificate extensions include:
+ </p>
+
+<pre><code><![CDATA[
+# backend configuration:
+<IfModule mod_ca_provider.c>
+ CAProviderExtension basicConstraints CA:FALSE
+ CAProviderExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
+ CAProviderExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
+ CAProviderExtension subjectKeyIdentifier hash
+ CAProviderExtension authorityKeyIdentifier keyid,issuer
+</IfModule>
+]]></code></pre>
+
+ </div>
+ </section>
+
+ <section id="directive-CAProvider">
+ <header>
+ <h3>CAProvider<wbr /> Directive</h3>
+ </header>
+ <div class="content">
+
+ <table>
+ <tbody>
+ <tr>
+ <td>Description</td>
+ <td>Name of the OpenSSL provider to use.</td>
+ </tr>
+ <tr>
+ <td>Syntax</td>
+ <td>
+ <code>CAProvider<wbr /> string [key=value ...]</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Default</td>
+ <td>
+ <code>none</code>
+ </td>
+ </tr>
+ <tr>
+ <td>Context</td>
+ <td>server config, virtual host, directory, .htaccess</td>
+ </tr>
+ <tr>
+ <td>Status</td>
+ <td>
+ <a href="mod_ca.html#backend">Backend</a>
+ </td>
+ </tr>
+ <tr>
+ <td>Module</td>
+ <td>mod_ca_provider</td>
+ </tr>
+ <tr>
+ <td>Compatibility</td>
+ <td>Introduced in mod_ca 1.0.0 and works with Apache HTTP
+ Server 2.4.0 and later</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>Name of the OpenSSL provider to use.
+ </p>
+
+ <p>Additonal options can be specified for each provider by passing
+ name value pairs after the provider name.
+ </p>
+
+ <p>Providers defined in this module have a scope limited to this
+ module, and configuration specified here will have no effect on
+ other parts of the server. This is a property of OpenSSL v3 and
+ above.
+ </p>
+
+ <p>Examples of crypto providers include:
+ </p>
+
+<pre><code><![CDATA[
+# backend configuration:
+<IfModule mod_ca_provider.c>
+ CAProvider pkcs11
+ CAProvider default
+</IfModule>
+]]></code></pre>
+
+ </div>
+ </section>
+
+ </div>
+ </div>
+ </section>
+
+ </div>
+ </body>
+</html>
+
More information about the rs-commit
mailing list