Simple Backend Module

Sign certificates using certificates and keys on disk, generate random serial numbers, return the system time.

What does it do?

This module provides a basic set of signing functions that can be used to sign certificate sign requests.

Based on the configuration of paths and files, this module performs basic signing of an incoming certificate sign request using a certificate and key stored on disk.

In addition, this module can generate a random serial number and the system time to be used when signing a certificate.

The serial number can optionally be extracted from the subject of the certificate, when there is a requirement that certificates within a certificate authority are never reissued.

Module Integration

The mod_ca_simple module is a backend module and will not do anything useful until mod_ca_simple has been combined with one or more frontend modules and optional backend modules listed below. The mod_ca_simple module provides the following hooks, and suitable frontend modules must be configured to implement each protocol as needed.

All backend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.

Sign Request Hook

When this hook is triggered, this module signs the certificate sign request using a certificate and key on the local disk.

This module provides the following implementations of this hook.

Simple Sign Request Signs the certificate sign request using a key stored on disk.

This hook is called by the following frontend modules.

mod_csr Generate and issue certificates in response to an X509 certificate request.
mod_pkcs12 Generate public/private key pairs and and issue certificates in response to a application/x-www-form-urlencoded form request.
mod_scep Generate and issue certificates using the SCEP protocol.
mod_spkac Generate and issue certificates using the SPKAC protocol.

Get Chain Hook

When this hook is triggered, this module returns the intermediate certificate chain used to sign certificate sign requests, if any and present.

This module provides the following implementations of this hook.

Simple Get Chain Returns the chain of certificates used to sign the request.

This hook is called by the following backend modules.

mod_ca_engine This hook signs a given certificate sign request using an OpenSSL provided crypto engine such as a smartcard, using the serial number returned by this module.
mod_ca_simple Signs the certificate sign request using a key stored on disk.

Make Serial Hook

When this hook is triggered, this module returns either a random serial number, or the serial number present in the subject of the certificate sign request.

This module provides the following implementations of this hook.

Simple Make Serial From Subject Returns the serial number from that embedded within the subject of the certificate sign request.
Simple Make Random Serial Returns a random serial number.

This hook is called by the following frontend modules and backend modules.

mod_ca_engine This hook signs a given certificate sign request using an OpenSSL provided crypto engine such as a smartcard, using the serial number returned by this module.
mod_ca_simple Signs the certificate sign request using a key stored on disk.
mod_timestamp Parse and return responses to RFC3161 Time Stamp Protocol requests.

Get Time Hook

When this hook is triggered, this module returns the time used to sign certificate sign requests, derived from the system time.

This module provides the following implementations of this hook.

Simple Get Time This hook returns the time to be used to sign a certificate sign request, derived from the system time.

This hook is called by the following frontend modules and backend modules.

mod_ca_engine This hook signs a given certificate sign request using an OpenSSL provided crypto engine such as a smartcard, using the serial number returned by this module.
mod_ca_simple Signs the certificate sign request using a key stored on disk.
mod_timestamp Parse and return responses to RFC3161 Time Stamp Protocol requests.

Get Certificate Authority Hook

When this hook is triggered, this module returns the root CA certificate used to sign certificate sign requests.

This module provides the following implementations of this hook.

Simple Get Certificate Authority Returns the certificate authority certificate used to sign the request.

This hook is called by the following frontend modules.

mod_ocsp Respond with the revocation status of a certificate.
mod_scep Generate and issue certificates using the SCEP protocol.

Get Next Certificate Authority Hook

When this hook is triggered, this module returns the next root CA certificate that will in future be used to sign certificate sign requests.

This module provides the following implementations of this hook.

Simple Get Next Certificate Authority Returns the next certificate authority certificate that will be used to sign future requests.

This hook is called by the following frontend modules.

mod_scep Generate and issue certificates using the SCEP protocol.

Make Key Hook

When this hook is triggered, this module generates and returns a key pair to be used to sign the certificate sign request.

This module provides the following implementations of this hook.

Simple Make Key Returns a generated public/private key pair.

This hook is called by the following frontend modules.

mod_pkcs12 Generate public/private key pairs and and issue certificates in response to a application/x-www-form-urlencoded form request.

Examples

Basic Example

The simplest case: issue a certificate to anybody who wants one.


# backend configuration:
<IfModule mod_ca_simple.c>
  # sign with this certificate...
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CASimpleKey /etc/pki/tls/ca-key.pem
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
  # add extensions for a typical CA
  CASimpleExtension basicConstraints CA:FALSE
  CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CASimpleExtension subjectKeyIdentifier hash
  CASimpleExtension authorityKeyIdentifier keyid,issuer
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    # use subject from the certificate sign request unmodified
    CsrSubjectRequest *
  </Location>
</IfModule>

Hook Implementation Reference

The following backend hook implementations are provided by this module.

Simple Sign Request

Signs the certificate sign request using a key stored on disk.

Both the CASimpleCertificate directive and the CASimpleKey directive are needed to enable the hook implementation. In addition, both the Make Serial Hook and the Get Time Hook are called to fill in the serial number and signing time for the certificate.

Each certificate is signed by default for 365 days. This can be controlled by the CASimpleDays directive. The CASimpleExtension directive allows certificate extensions to be added to the certificate.

Simple Get Certificate Authority

Returns the certificate authority certificate used to sign the request.

The certificate authority certificate is parsed from the CASimpleCertificate directive and returned when requested. This is the last certificate specified in the file.

Simple Get Next Certificate Authority

Returns the next certificate authority certificate that will be used to sign future requests.

The next certificate authority certificate is parsed from the CASimpleNextCertificate directive and returned when requested.

Simple Get Chain

Returns the chain of certificates used to sign the request.

The certificate chain is parsed from the CASimpleCertificate directive and returned when requested. These are all certificates apart from the last certificate specified in the file.

Simple Make Serial From Subject

Returns the serial number from that embedded within the subject of the certificate sign request.

This hook implementation is enabled with the CASimpleSerialSubject directive. When enabled, the serial number of the certificate is extracted from the serial number embedded in the subject of the certificate sign request.

This hook implementation is used to generate certificates that cannot be reissued.

Simple Make Random Serial

Returns a random serial number.

This hook implementation is enabled with the CASimpleSerialRandom directive. When enabled, the serial number of the certificate is chosen at random.

The random number is allocated via the OpenSSL BN_rand() function.

Simple Make Key

Returns a generated public/private key pair.

This hook implementation is enabled with either the CASimpleAlgorithm or CASimpleParamFile directives. When enabled, a generated public/private key pair matching either the algorithm or the parameter file is returned when requested.

The algorithm matches that accepted by the -algorithm option of the genpkey command within OpenSSL. The parameter file is that generated by the -genparam option of the genpkey command within OpenSSL.

Simple Get Time

Returns the system time of the machine.

This hook implementation is enabled with the CASimpleTime directive. When enabled, the system time of the current machine is returned when requested.

Directive Reference

CASimpleCertificate Directive

Description Filename of certificate chain: signing certificate first, CA certificate last.
Syntax CASimpleCertificate file
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the filename of the signing certificate, including the certificate chain: signing certificate first, CA certificate last.

CASimpleKey Directive

Description Filename of the signing key.
Syntax CASimpleKey file
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the filename of the signing key.

CASimpleNextCertificate Directive

Description Filename of the next CA certificate to follow this one, if any.
Syntax CASimpleNextCertificate file
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the filename of the next CA certificate to follow this one, if any.

CASimpleDays Directive

Description Set to the number of days the certificate must be signed for.
Syntax CASimpleDays days
Default CASimpleDays 365
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the number of days the certificate must be signed for.

Defaults to 365 days.

CASimpleSerialRandom Directive

Description When enabled, a random serial number will be allocated.
Syntax CASimpleSerialRandom flag
Default CASimpleSerialRandom off
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

When enabled, a random serial number will be allocated by the Make Serial Hook.

The random number is allocated via the OpenSSL BN_rand() function.

CASimpleSerialSubject Directive

Description When enabled, the serial number will be allocated from the certificate sign request subject, if present.
Syntax CASimpleSerialSubject flag
Default CASimpleSerialSubject off
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

When enabled, during the Make Serial Hook, the serial number will be allocated from the serialNumber field of the certificate sign request subject, if present.

It is expected that the issuing of the certificate is verified with the Request Authorization Hook to ensure the serial number cannot be duplicated.

CASimpleTime Directive

Description When enabled, the time will be obtained from the system time.
Syntax CASimpleTime flag
Default CASimpleTime off
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

When enabled, during the Get Time Hook, the time will be obtained from the system time.

CASimpleExtension Directive

Description Certificate extension to add to the certificate when signed.
Syntax CASimpleExtension string
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Certificate extension to add to the certificate when signed.

Examples of certificate extensions include:


# backend configuration:
<IfModule mod_ca_simple.c>
  CASimpleExtension basicConstraints CA:FALSE
  CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CASimpleExtension subjectKeyIdentifier hash
  CASimpleExtension authorityKeyIdentifier keyid,issuer
</IfModule>

CASimpleAlgorithm Directive

Description When enabled, private keys will be generated with this algorithm.
Syntax CASimpleAlgorithm string [ key=value ... ]
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

When enabled, during the Make Key Hook, private keys will be generated with this algorithm.

The algorithm matches that accepted by the -algorithm option of the genpkey command within OpenSSL.

Examples of a certificate algorithm include:


# backend configuration:
<IfModule mod_ca_simple.c>
  CASimpleAlgorithm RSA rsa_keygen_bits=4096
</IfModule>

CASimpleParamFile Directive

Description When enabled, private keys will be generated with this parameter file.
Syntax CASimpleParamFile file
Default none
Context server config, virtual host, directory, .htaccess
Status Backend
Module mod_ca_simple
Compatibility Introduced in mod_ca 0.2.0 and works with Apache HTTP Server 2.4.0 and later

When enabled, during the Make Key Hook, private keys will be generated with this parameter file.

The parameter file is that generated by the -genparam option of the genpkey command within OpenSSL.