This module provides set of signing functions that can be used to sign certificate sign requests backed with the OpenSSL provider mechanism.

The OpenSSL provider mechanism allows access to certificates and key described by a URI. The default URI scheme is file:, representing the URL of a file on disk.

Based on the configuration, this module performs signing of an incoming certificate sign request using a certificate and key stored in a PEM file, on an HSM, TPM or smartcard.

The certificate and key used to sign a request can be defined precisely in the URIs for CAProviderCertificate and CAProviderKey.

Alternatively, when the URIs are defined broadly to match multiple certificates or keys, this module will choose the best certificate and key found at the corresponding URIs. This allows you to define a generic URI such as pkcs11: and this module will automatically choose the certificate and key based on what is available on the smartcard or HSM.

To choose the certificate and key, this module performs the following steps.

• All keys are read from the CAProviderKey URI.
• All intermediate certificates are read from the CAProviderCertificate URI, leaf certificates are ignored.
• Intermediate certificates are matched up with their keys, any certificates without keys, or keys without certificates, are ignored.
• The most recently issued certificate is chosen for signing.

When this hook is triggered, this module signs the certificate sign request using a certificate available at the URI specified in the CAProviderCertificate directive, and a private key specified at the URI specified in the CAProviderKey directive. These URIs may point at the same location, or different locations as needed.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the intermediate certificate chain used to sign certificate sign requests, if any and present.

The intermediate certificate chain is retrieved from the URI pointed to by the CAProviderChain directive, and may be omitted if no chain exists between the signing certificate and the CA certificate.

This module provides the following implementations of this hook.

This hook is called by the following backend modules.

When this hook is triggered, the Sign Request Hook asks for a serial number to use when signing the certificate.

Implementations of this hook are provided by other modules.

This hook is called by the following frontend modules and backend modules.

When this hook is triggered, the Sign Request Hook asks for the time to use when signing the certificate.

Implementations of this hook are provided by other modules.

This hook is called by the following frontend modules and backend modules.

When this hook is triggered, this module returns the root CA certificate used to sign certificate sign requests.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the next root CA certificate that will in future be used to sign certificate sign requests.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

The simplest case: issue a certificate to anybody who wants one.

# global configuration
<IfModule mod_ca_provider.c>
  # accept PKCS11 URIs
  CAProvider pkcs11
  # accept file: URIs
  CAProvider default
</IfModule>

# backend configuration:
<IfModule mod_ca_simple.c>
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>
<IfModule mod_ca_provider.c>
  # sign with this certificate...
  CAProviderCertificate file:/etc/pki/tls/signing-cert.pem
  # ...and private key...
  CAProviderKey "${KEYURI}"
  # ...and private key PIN if needed
  CAProviderPassphrase "${KEYPIN}"
  # ...and using this CA certificate
  CAProviderCA file:/etc/pki/tls/ca-cert.pem
  # add extensions for a typical CA
  CAProviderExtension basicConstraints CA:FALSE
  CAProviderExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CAProviderExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CAProviderExtension subjectKeyIdentifier hash
  CAProviderExtension authorityKeyIdentifier keyid,issuer
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    # use subject from the certificate sign request unmodified
    CsrSubjectRequest *
  </Location>
</IfModule>

Signs the certificate sign request using a certificate and key stored at a URI.

Both the CAProviderCertificate directive and the CAProviderKey directive are needed to enable the hook implementation. In addition, both the Make Serial Hook and the Get Time Hook are called to fill in the serial number and signing time for the certificate.

Each certificate is signed by default for 365 days. This can be controlled by the CAProviderDays directive. The CAProviderExtension directive allows certificate extensions to be added to the certificate.

Returns the certificate authority certificate used to sign the request.

The certificate authority certificate(s) are parsed from the URI pointed to by the CAProviderCA directive and returned when requested.

Returns the next certificate authority certificate that will be used to sign future requests.

The next certificate authority certificate(s) are parsed from the URI pointed to by the CAProviderNextCertificate directive and returned when requested.

Returns the chain of certificates used to sign the request.

The certificate chain is parsed from the CAProviderChain directive(s) and returned when requested.

Set to the URI of the signing certificate(s). An optional property query can be specified as needed.

When multiple signing certificates are found, all leaf certificates are ignored, as well as all certificates that do not match the private keys defined by CAProviderKey. Of the remaining certificates, the most recently issued certificate is used for signing.

Set to the URI of the signing key(s) on the smartcard or HSM. An optional property query can be specified as needed.

When multiple signing keys are found, keys are matched to all non-leaf certificates defined by CAProviderCertificate. Of the matching signing certificates, the most recently issued certificate is used for signing.

Examples of URIs include:

# backend configuration:
<IfModule mod_ca_provider.c>
  CAProviderKey "pkcs11:model=PKCS%2315;manufacturer=EnterSafe;serial=1234567890123456;token=User%20PIN%20%28My%20Token%29;object=Certificate"
</IfModule>

Set to the URI of the chain certificate(s). Can be specified more than once. An optional property query can be specified as needed.

Set to the URI of the CA certificate. Can be specified more than once. An optional property query can be specified as needed.

Set to the URI of the next CA certificate to follow this one, if any. Can be specified more than once. An optional property query can be specified as needed.

Set to the number of days the certificate must be signed for.

Defaults to 365 days.

Certificate extension to add to the certificate when signed.

Examples of certificate extensions include:

# backend configuration:
<IfModule mod_ca_provider.c>
  CAProviderExtension basicConstraints CA:FALSE
  CAProviderExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CAProviderExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CAProviderExtension subjectKeyIdentifier hash
  CAProviderExtension authorityKeyIdentifier keyid,issuer
</IfModule>

Name of the OpenSSL provider to use.

Additonal options can be specified for each provider by passing name value pairs after the provider name.

Providers defined in this module have a scope limited to this module, and configuration specified here will have no effect on other parts of the server. This is a property of OpenSSL v3 and above.

Examples of crypto providers include:

# backend configuration:
<IfModule mod_ca_provider.c>
  CAProvider pkcs11
  CAProvider default
</IfModule>