This module provides a basic set of signing functions that can be used to sign certificate sign requests.

Based on the configuration of paths and files, this module performs basic signing of an incoming certificate sign request using a certificate and key stored on disk.

In addition, this module can generate a random serial number and the system time to be used when signing a certificate.

The serial number can optionally be extracted from the subject of the certificate, when there is a requirement that certificates within a certificate authority are never reissued.

When this hook is triggered, this module signs the certificate sign request using a certificate and key on the local disk.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the intermediate certificate chain used to sign certificate sign requests, if any and present.

This module provides the following implementations of this hook.

This hook is called by the following backend modules.

When this hook is triggered, this module returns either a random serial number, or the serial number present in the subject of the certificate sign request.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules and backend modules.

When this hook is triggered, this module returns the time used to sign certificate sign requests, derived from the system time.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules and backend modules.

When this hook is triggered, this module returns the root CA certificate used to sign certificate sign requests.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module returns the next root CA certificate that will in future be used to sign certificate sign requests.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

When this hook is triggered, this module generates and returns a key pair to be used to sign the certificate sign request.

This module provides the following implementations of this hook.

This hook is called by the following frontend modules.

The simplest case: issue a certificate to anybody who wants one.

# backend configuration:
<IfModule mod_ca_simple.c>
  # sign with this certificate...
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CASimpleKey /etc/pki/tls/ca-key.pem
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
  # add extensions for a typical CA
  CASimpleExtension basicConstraints CA:FALSE
  CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CASimpleExtension subjectKeyIdentifier hash
  CASimpleExtension authorityKeyIdentifier keyid,issuer
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    # use subject from the certificate sign request unmodified
    CsrSubjectRequest *
  </Location>
</IfModule>

Signs the certificate sign request using a key stored on disk.

Both the CASimpleCertificate directive and the CASimpleKey directive are needed to enable the hook implementation. In addition, both the Make Serial Hook and the Get Time Hook are called to fill in the serial number and signing time for the certificate.

Each certificate is signed by default for 365 days. This can be controlled by the CASimpleDays directive. The CASimpleExtension directive allows certificate extensions to be added to the certificate.

Returns the certificate authority certificate used to sign the request.

The certificate authority certificate is parsed from the CASimpleCertificate directive and returned when requested. This is the last certificate specified in the file.

Returns the next certificate authority certificate that will be used to sign future requests.

The next certificate authority certificate is parsed from the CASimpleNextCertificate directive and returned when requested.

Returns the chain of certificates used to sign the request.

The certificate chain is parsed from the CASimpleCertificate directive and returned when requested. These are all certificates apart from the last certificate specified in the file.

Returns the serial number from that embedded within the subject of the certificate sign request.

This hook implementation is enabled with the CASimpleSerialSubject directive. When enabled, the serial number of the certificate is extracted from the serial number embedded in the subject of the certificate sign request.

This hook implementation is used to generate certificates that cannot be reissued.

Returns a random serial number.

This hook implementation is enabled with the CASimpleSerialRandom directive. When enabled, the serial number of the certificate is chosen at random.

The random number is allocated via the OpenSSL BN_rand() function.

Returns a generated public/private key pair.

This hook implementation is enabled with either the CASimpleAlgorithm or CASimpleParamFile directives. When enabled, a generated public/private key pair matching either the algorithm or the parameter file is returned when requested.

The algorithm matches that accepted by the -algorithm option of the genpkey command within OpenSSL. The parameter file is that generated by the -genparam option of the genpkey command within OpenSSL.

Returns the system time of the machine.

This hook implementation is enabled with the CASimpleTime directive. When enabled, the system time of the current machine is returned when requested.

Set to the filename of the signing certificate, including the certificate chain: signing certificate first, CA certificate last.

Set to the filename of the signing key.

Set to the filename of the next CA certificate to follow this one, if any.

Set to the number of days the certificate must be signed for.

Defaults to 365 days.

When enabled, a random serial number will be allocated by the Make Serial Hook.

The random number is allocated via the OpenSSL BN_rand() function.

When enabled, during the Make Serial Hook, the serial number will be allocated from the serialNumber field of the certificate sign request subject, if present.

It is expected that the issuing of the certificate is verified with the Request Authorization Hook to ensure the serial number cannot be duplicated.

When enabled, during the Get Time Hook, the time will be obtained from the system time.

Certificate extension to add to the certificate when signed.

Examples of certificate extensions include:

# backend configuration:
<IfModule mod_ca_simple.c>
  CASimpleExtension basicConstraints CA:FALSE
  CASimpleExtension keyUsage critical,nonRepudiation,digitalSignature,keyEncipherment
  CASimpleExtension extendedKeyUsage OID:1.3.6.1.5.5.7.3.2
  CASimpleExtension subjectKeyIdentifier hash
  CASimpleExtension authorityKeyIdentifier keyid,issuer
</IfModule>

When enabled, during the Make Key Hook, private keys will be generated with this algorithm.

The algorithm matches that accepted by the -algorithm option of the genpkey command within OpenSSL.

Examples of a certificate algorithm include:

# backend configuration:
<IfModule mod_ca_simple.c>
  CASimpleAlgorithm RSA rsa_keygen_bits=4096
</IfModule>

When enabled, during the Make Key Hook, private keys will be generated with this parameter file.

The parameter file is that generated by the -genparam option of the genpkey command within OpenSSL.