Based on configuration of the backend modules, the CA certificate or the next CA certificate is returned as a DER or PEM encoded degenerate PKCS7 as per RFC2315.
Module Integration
The
mod_pkcs7
module is a
frontend module
and will not do anything useful until
mod_pkcs7
has been combined with one or
more
backend modules
listed below. The
mod_pkcs7
module uses the following hooks to get the CA certificate and next CA certificate, and suitable
backend modules
must be configured to implement each hook as needed.
All frontend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.
Get CA Certificate Hook
This hook returns CA certificates for the given CA.
| mod_ca_engine | Returns CA certificates that would sign certificate sign requests by an HSM such as a smartcard. |
| mod_ca_simple | Returns CA certificates that would sign certificate sign requests by a certificate and key specified on disk. |
Get Next CA Certificate Hook
This hook returns certificates that were requested previously and generated at a possibly later date or time.
| mod_ca_engine | Returns the upcoming next CA certificates that would sign certificate sign requests by an HSM such as a smartcard. |
| mod_ca_simple | Returns the upcoming next CA certificates that would sign certificate sign requests by a certificate and key specified on disk. |
Examples
Basic Example
The simplest case: return the CA certificate and the next CA certificate to anybody who wants it.
# backend configuration:
<IfModule mod_ca_simple.c>
# return these certificates
CASimpleCertificate /etc/pki/tls/ca-cert.pem
CASimpleNextCertificate /etc/pki/tls/ca-cert-next.pem
</IfModule>
# frontend configuration:
<IfModule mod_pkcs7.c>
<Location /ca.p7b>
SetHandler pkcs7-ca
</Location>
<Location /ca-next.p7b>
SetHandler pkcs7-nextca
</Location>
</IfModule>
Handler Reference
The following parameters to the SetHandler directive are supported.
pkcs7-ca Handler
After calling the getca hook return the CA certificate as a DER or PEM encoded degenerate PKCS7 certificate bundle.
SetHandler pkcs7-ca
pkcs7-nextca Handler
After calling the getnextca hook return the next CA certificate as a DEM or PEN encoded degenerate PKCS7 certificate bundle.
SetHandler pkcs7-nextca
Directive Reference
Pkcs7
| Description | The max-age of the certificate will be divided by this factor. |
| Syntax |
Pkcs7
|
| Default |
Pkcs7
|
| Context | server config, virtual host, directory, .htaccess |
| Status | Frontend |
| Module | mod_pkcs7 |
| Compatibility | Introduced in mod_pkcs7 0.2.0 and works with Apache HTTP Server 2.4.0 and later |
The age of the certificate will be divided by this factor when added as a max-age, set to zero to disable. Defaults to "2". An optional maximum value can be specified, defaults to one day.
Pkcs7
| Description | Set the URL location of the WADL returned by the OPTIONS method. |
| Syntax |
Pkcs7
|
| Default |
Pkcs7
|
| Context | server config, virtual host, directory, .htaccess |
| Status | Frontend |
| Module | mod_pkcs7 |
| Compatibility | Introduced in mod_pkcs7 0.2.0 and works with Apache HTTP Server 2.4.0 and later |
Set the URL location of the WADL returned by the OPTIONS method.
Pkcs7
| Description | Set to the default encoding to be returned if not specified. |
| Syntax |
Pkcs7
|
| Default |
Pkcs7
|
| Context | server config, virtual host, directory, .htaccess |
| Status | Frontend |
| Module | mod_pkcs7 |
| Compatibility | Introduced in mod_pkcs7 0.2.0 and works with Apache HTTP Server 2.4.0 and later |
Set the default encoding to be returned if not specified. Must be one of "pem", "x-pem" or "der".