Certificate Sign Request Module

Generate and issue certificates in response to an X509 certificate request.

What does it do?

This module accepts a application/x-www-form-urlencoded form submission request containing a PEM encoded PKCS10 X509 certificate request among further optional parameters.

Based on configuration, parameters can be passed from the incoming certificate sign request, optional form parameters, or explicit expressions, and a new certificate sign request with acceptable parameters is passed to suitably configured backend modules for request authorisation, certificate signing and issuing, and certificate storage.

The resulting certificate chain is returned by default as a DER encoded PKCS7 certificate. If the Accept header is given in the request and set to application/pkcs7-mime , the certificate chain is returned as a PEM encoded PKCS7 certificate instead.

This module can be configured to respond to CertEnroll requests as supported by Microsoft Internet Explorer.

Module Integration

The mod_csr module is a frontend module and will not do anything useful until mod_csr has been combined with one or more backend modules listed below. The mod_csr module uses the following hooks to authorise, sign/issue and store a certificate, and suitable backend modules must be configured to implement each hook as needed.

All frontend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.

Request Authorization Hook

This optional hook allows you to verify the parameters included with the certificate sign request, such as the challenge password. If left unconfigured, all certificate requests will be accepted.

mod_ca_ldap Allows the certificate sign request to be verified against an LDAP directory.

Sign Request Hook

This hooks signs the certificate sign request and returns the issued certificate. The hook is mandatory, and the request will be rejected if left unconfigured.

mod_ca_disk Allows certificate sign requests to be saved to disk for later out of band processing. The response will redirect the caller to where the certificate can be collected.
mod_ca_engine Allows certificate sign requests to be signed by an HSM such as a smartcard.
mod_ca_simple Allows certificate sign requests to be signed by a certificate and key specified on disk.

Certificate Storage Hook

This optional hook allows the newly generated certificate to be stored locally or in a database or directory. If left unconfigured, no local copy of the certificate will be stored.

mod_ca_ldap Saves the newly issued PKCS7 certificate and chain to an LDAP directory.

Examples

Basic Example

The simplest case: issue a certificate to anybody who wants one.


# backend configuration:
<IfModule mod_ca_simple.c>
  # sign with this certificate...
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CASimpleKey /etc/pki/tls/ca-key.pem
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    # use subject from the certificate sign request unmodified
    CsrSubjectRequest *
  </Location>
</IfModule>

Logged In Example

A more typical scenario: issue a certificate to a logged in user.

In this example it is assumed that Apache configuration exists that authenticates a user against a database, directory, a token, or a previous certificate.


# backend configuration:
<IfModule mod_ca_simple.c>
  # sign with this certificate...
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  # ...and private key
  CASimpleKey /etc/pki/tls/ca-key.pem
  # use system clock as the time source
  CASimpleTime on
  # assign a random serial number
  CASimpleSerialRandom on
</IfModule>

# frontend configuration:
<IfModule mod_csr.c>
  <Location /csr>
    SetHandler csr
    # standard Apache authorisation
    Require valid-user
    # set the common name to the logged in username
    CsrSubjectSet CN %{REMOTE_USER}
    # set a fixed OU field in the subject
    CsrSubjectSet OU "Terms and Conditions Apply"
  </Location>
</IfModule>

Handler Reference

The following parameters to the SetHandler directive are supported.

csr Handler

After calling the request authorization hook, the sign request hook, and the certificate storage hook, return the DER or PEM encoded certificate.

SetHandler csr

Directive Reference

CsrFreshness Directive

Description The max-age of the certificates will be divided by this factor.
Syntax CsrFreshness factor [max-seconds]
Default CsrFreshness 2 86400
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

The age of the certificates will be divided by this factor when added as a max-age, set to zero to disable. Defaults to "2". An optional maximum value can be specified, defaults to one day.

CsrLocation Directive

Description Set the URL location of the WADL returned by the OPTIONS method.
Syntax CsrLocation url
Default CsrLocation [current-URL]
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the URL location of the WADL returned by the OPTIONS method.

CsrParamPkcs10 Directive

Description Set the name of the form parameter containing the PEM encoded PKCS10 certificate sign request.
Syntax CsrParamPkcs10 param
Default CsrParamPkcs10 pkcs10
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the name of the form parameter containing the PEM encoded PKCS10 certificate sign request.

CsrParamChallenge Directive

Description Set the name of the form parameter containing the challenge.
Syntax CsrParamChallenge param
Default CsrParamChallenge challenge
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the name of the form parameter containing the challenge, if not present in the certificate sign request.

CsrSize Directive

Description Set to the maximum size of the form submitted by the client.
Syntax CsrSize bytes
Default CsrSize 131072
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set to the maximum size of the form request from the client. This value cannot be smaller than 4096 bytes.

CsrSubjectAltNameRequest Directive

Description Specify fields in the certificate request subject alternative name that will be copied over to the certificate.
Syntax CsrSubjectAltNameRequest field [number]
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify fields in the certificate request subject alternative name that will be copied over to the certificate, with optional limit to the number of fields that may appear.

If a wildcard is used, all fields in the certificate request subject alternative name will be copied across unmodified.

Field names are limited to otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress, or registeredID and are described in the Subjects and Subject Alternative Names section.

CsrSubjectAltNameSet Directive

Description Specify an expression that will be included in the certificate subject alternative name.
Syntax CsrSubjectAltNameSet field value
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify an expression that will be included in the certificate subject alternative name.

Field names are limited to otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress, or registeredID and are described in the Subjects and Subject Alternative Names section.

CsrSubjectRequest Directive

Description Specify fields in the certificate request subject that will be copied over to the certificate.
Syntax CsrSubjectRequest field [number]
Default CsrSubjectRequest field 1
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify fields in the certificate request subject that will be copied over to the certificate, with optional limit to the number of fields that may appear.

If a wildcard is used, all fields in the certificate request subject alternative name will be copied across unmodified.

Subject handling is covered in detail in the Subjects and Subject Alternative Names section.

CsrSubjectSet Directive

Description Specify an expression that will be included in the certificate subject.
Syntax CsrSubjectSet field value
Default None
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_csr
Compatibility Introduced in mod_csr 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Specify an expression that will be included in the certificate subject. Subject attribute name is configured first, then the expression.

Subject handling is covered in detail in the Subjects and Subject Alternative Names section.