This module provides set of signing functions that can be used to sign certificate sign requests backed with the OpenSSL ENGINE mechanism.

Based on the configuration, this module performs signing of an incoming certificate sign request using a certificate and key stored on an HSM or smartcard.

When this hook is triggered, this module signs the certificate sign request using a certificate on the local disk, and a key on an HSM or smartcard using the OpenSSL ENGINE mechanism.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the intermediate certificate chain used to sign certificate sign requests, if any and present.

This module provides the following implementations of this hook.

This hook is called by the following backend modules.

When this hook is triggered, the Sign Request Hook asks for a serial number to use when signing the certificate.

Implementations of this hook are provided by other modules.

This hook is called by the following frontend modules and backend modules.

When this hook is triggered, the Sign Request Hook asks for the time to use when signing the certificate.

Implementations of this hook are provided by other modules.

This hook is called by the following frontend modules and backend modules.

When this hook is triggered, this module returns the root CA certificate used to sign certificate sign requests.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the next root CA certificate that will in future be used to sign certificate sign requests.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

The simplest case: issue a certificate to anybody who wants one.

# global configuration
<IfModule mod_ca_engine.c>
  CAEngineDevice dynamic
  CAEnginePreCommand SO_PATH /usr/lib64/engines-1.1/pkcs11.so
  CAEnginePreCommand ID pkcs11
  CAEnginePreCommand LIST_ADD 1
  CAEnginePreCommand LOAD
  CAEnginePreCommand MODULE_PATH /usr/lib64/opensc-pkcs11.so
  CAEnginePreCommand PIN ${KEYPIN}
</IfModule>

# backend configuration:
<IfModule mod_ca_simple.c>
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>
<IfModule mod_ca_engine.c>
  # sign with this certificate...
  CAEngineCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CAEngineKey "${KEYURI}"
  # add extensions for a typical CA
  CAEngineExtension basicConstraints CA:FALSE
  CAEngineExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CAEngineExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CAEngineExtension subjectKeyIdentifier hash
  CAEngineExtension authorityKeyIdentifier keyid,issuer
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    # use subject from the certificate sign request unmodified
    CsrSubjectRequest *
  </Location>
</IfModule>

Signs the certificate sign request using a key stored on an HSM or smartcard.

Both the CAEngineCertificate directive and the CAEngineKey directive are needed to enable the hook implementation. In addition, both the Make Serial Hook and the Get Time Hook are called to fill in the serial number and signing time for the certificate.

Each certificate is signed by default for 365 days. This can be controlled by the CAEngineDays directive. The CAEngineExtension directive allows certificate extensions to be added to the certificate.

Returns the certificate authority certificate used to sign the request.

The certificate authority certificate is parsed from the CAEngineCertificate directive and returned when requested. This is the last certificate specified in the file.

Returns the next certificate authority certificate that will be used to sign future requests.

The next certificate authority certificate is parsed from the CAEngineNextCertificate directive and returned when requested.

Returns the chain of certificates used to sign the request.

The certificate chain is parsed from the CAEngineCertificate directive and returned when requested. These are all certificates apart from the last certificate specified in the file.

Set to the filename of the signing certificate, including the certificate chain: signing certificate first, CA certificate last.

Set to the URI of the signing key on the smartcard or HSM.

Examples of URIs include:

# backend configuration:
<IfModule mod_ca_engine.c>
  CAEngineKey "pkcs11:model=PKCS%2315;manufacturer=EnterSafe;serial=1234567890123456;token=User%20PIN%20%28My%20Token%29;object=Certificate"
</IfModule>

Set to the filename of the next CA certificate to follow this one, if any.

Set to the number of days the certificate must be signed for.

Defaults to 365 days.

Certificate extension to add to the certificate when signed.

Examples of certificate extensions include:

# backend configuration:
<IfModule mod_ca_engine.c>
  CAEngineExtension basicConstraints CA:FALSE
  CAEngineExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CAEngineExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CAEngineExtension subjectKeyIdentifier hash
  CAEngineExtension authorityKeyIdentifier keyid,issuer
</IfModule>

Name of the OpenSSL crypto engine to use.

Examples of crypto engines include:

# backend configuration:
<IfModule mod_ca_engine.c>
  CAEngineDevice dynamic
</IfModule>

Commands to process before the engine is initialised.

Commands to process after the engine is initialised.