Based on configuration of the backend modules, the CA certificate or the next CA certificate is returned as a DER or PEM encoded X509 certificate as per RFC5280.
Module Integration
The
mod_cert
module is a
frontend module
and will not do anything useful until
mod_cert
has been combined with one or
more
backend modules
listed below. The
mod_cert
module uses the following hooks to get the CA certificate and next CA certificate, and suitable
backend modules
must be configured to implement each hook as needed.
All frontend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.
Get CA Certificate Hook
This hook returns CA certificates for the given CA.
| mod_ca_engine | Returns CA certificates that would sign certificate sign requests by an HSM such as a smartcard. |
| mod_ca_simple | Returns CA certificates that would sign certificate sign requests by a certificate and key specified on disk. |
Get Next CA Certificate Hook
This hook returns certificates that were requested previously and generated at a possibly later date or time.
| mod_ca_engine | Returns the upcoming next CA certificates that would sign certificate sign requests by an HSM such as a smartcard. |
| mod_ca_simple | Returns the upcoming next CA certificates that would sign certificate sign requests by a certificate and key specified on disk. |
Examples
Basic Example
The simplest case: return the CA certificate and the next CA certificate to anybody who wants it.
# backend configuration:
<IfModule mod_ca_simple.c>
# return these certificates
CASimpleCertificate /etc/pki/tls/ca-cert.pem
CASimpleNextCertificate /etc/pki/tls/ca-cert-next.pem
</IfModule>
# frontend configuration:
<IfModule mod_cert.c>
<Location /ca.der>
SetHandler cert-ca
</Location>
<Location /ca-next.der>
SetHandler cert-nextca
</Location>
</IfModule>
Handler Reference
The following parameters to the SetHandler directive are supported.
cert-ca Handler
After calling the getca hook return the CA certificate as a DER or PEM encoded X509 certificate.
SetHandler cert-ca
cert-nextca Handler
After calling the getnextca hook return the next CA certificate as a DEM or PEN encoded X509 certificate.
SetHandler cert-nextca
Directive Reference
Cert
| Description | The max-age of the certificate will be divided by this factor. |
| Syntax |
Cert
|
| Default |
Cert
|
| Context | server config, virtual host, directory, .htaccess |
| Status | Frontend |
| Module | mod_cert |
| Compatibility | Introduced in mod_cert 0.2.0 and works with Apache HTTP Server 2.4.0 and later |
The age of the certificate will be divided by this factor when added as a max-age, set to zero to disable. Defaults to "2". An optional maximum value can be specified, defaults to one day.
Cert
| Description | Set the URL location of the WADL returned by the OPTIONS method. |
| Syntax |
Cert
|
| Default |
Cert
|
| Context | server config, virtual host, directory, .htaccess |
| Status | Frontend |
| Module | mod_cert |
| Compatibility | Introduced in mod_cert 0.2.0 and works with Apache HTTP Server 2.4.0 and later |
Set the URL location of the WADL returned by the OPTIONS method.
Cert
| Description | Set to the default encoding to be returned if not specified. |
| Syntax |
Cert
|
| Default |
Cert
|
| Context | server config, virtual host, directory, .htaccess |
| Status | Frontend |
| Module | mod_cert |
| Compatibility | Introduced in mod_cert 0.2.0 and works with Apache HTTP Server 2.4.0 and later |
Set the default encoding to be returned if not specified. Must be one of "pem", "x-pem" or "der".