<directivesynopsis>
<name>SSLCertificateFile</name>
-<description>Server PEM-encoded X.509 certificate data file</description>
-<syntax>SSLCertificateFile <em>file-path</em></syntax>
+<description>Server PEM-encoded X.509 certificate data file or token identifier</description>
+<syntax>SSLCertificateFile <var>file-path</var>|<var>certid</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
+<compatibility><var>certid</var> available in 2.5.1 and later.</compatibility>
<usage>
<p>
-This directive points to a file with certificate data in PEM format.
-At a minimum, the file must include an end-entity (leaf) certificate.
+This directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token.
+If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate.
The directive can be used multiple times (referencing different filenames)
to support multiple algorithms for server authentication - typically
RSA, DSA, and ECC. The number of supported algorithms depends on the
key is encrypted, the pass phrase dialog is forced at startup time.
</p>
+<p>As an alternative to storing certificates and private keys in
+files, a certificate identifier can be used to identify a certificate
+stored in a token. Currently, only <a
+href="https://tools.ietf.org/html/rfc7512">PKCS#11 URIs</a> are
+recognized as certificate identifiers, and can be used in conjunction
+with the OpenSSL <code>pkcs11</code> engine. If <directive
+module="mod_ssl">SSLCertificateKeyFile</directive> is omitted, the
+certificate and private key can be loaded through the single
+identifier specified with <directive
+module="mod_ssl">SSLCertificateFile</directive>.</p>
+
<note>
<title>DH parameter interoperability with primes > 1024 bit</title>
<p>
<example><title>Example</title>
<highlight language="config">
+# Example using a PEM-encoded file.
SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt"
+# Example use of a certificate and private key from a PKCS#11 token:
+SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45"
</highlight>
</example>
</usage>
<directivesynopsis>
<name>SSLCertificateKeyFile</name>
<description>Server PEM-encoded private key file</description>
-<syntax>SSLCertificateKeyFile <em>file-path</em></syntax>
+<syntax>SSLCertificateKeyFile <var>file-path</var>|<var>keyid</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
+<compatibility><var>keyid</var> available in 2.5.1 and later.</compatibility>
<usage>
<p>
This directive points to the PEM-encoded private key file for the
-server. If the contained private key is encrypted, the pass phrase
-dialog is forced at startup time.</p>
+server, or the key ID through a configured cryptographic token. If the
+contained private key is encrypted, the pass phrase dialog is forced
+at startup time.</p>
<p>
The directive can be used multiple times (referencing different filenames)
an embedded key must be configured after the certificates using a separate
key file.</p>
+<p>As an alternative to storing private keys in files, a key
+identifier can be used to identify a private key stored in a
+token. Currently, only <a href="https://tools.ietf.org/html/rfc7512">PKCS#11 URIs</a> are recognized as private key
+identifiers, and can be used in conjunction with the OpenSSL
+<code>pkcs11</code> engine.</p>
+
<example><title>Example</title>
<highlight language="config">
+# To use a private key from a PEM-encoded file:
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"
+# To use a private key from a PKCS#11 token:
+SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45"
</highlight>
</example>
</usage>
<directivesynopsis>
<name>SSLCertificateChainFile</name>
<description>File of PEM-encoded Server CA Certificates</description>
-<syntax>SSLCertificateChainFile <em>file-path</em></syntax>
+<syntax>SSLCertificateChainFile <var>file-path</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<name>SSLCACertificateFile</name>
<description>File of concatenated PEM-encoded CA Certificates
for Client Auth</description>
-<syntax>SSLCACertificateFile <em>file-path</em></syntax>
+<syntax>SSLCACertificateFile <var>file-path</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<name>SSLCADNRequestFile</name>
<description>File of concatenated PEM-encoded CA Certificates
for defining acceptable CA names</description>
-<syntax>SSLCADNRequestFile <em>file-path</em></syntax>
+<syntax>SSLCADNRequestFile <var>file-path</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<name>SSLCARevocationFile</name>
<description>File of concatenated PEM-encoded CA CRLs for
Client Auth</description>
-<syntax>SSLCARevocationFile <em>file-path</em></syntax>
+<syntax>SSLCARevocationFile <var>file-path</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<directivesynopsis>
<name>SSLSRPVerifierFile</name>
<description>Path to SRP verifier file</description>
-<syntax>SSLSRPVerifierFile <em>file-path</em></syntax>
+<syntax>SSLSRPVerifierFile <var>file-path</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or
<name>SSLProxyCACertificateFile</name>
<description>File of concatenated PEM-encoded CA Certificates
for Remote Server Auth</description>
-<syntax>SSLProxyCACertificateFile <em>file-path</em></syntax>
+<syntax>SSLProxyCACertificateFile <var>file-path</var></syntax>
<contextlist><context>server config</context> <context>virtual host</context>
<context>proxy section</context></contextlist>
<compatibility>The proxy section context is allowed in httpd 2.4.30 and later</compatibility>
<name>SSLProxyCARevocationFile</name>
<description>File of concatenated PEM-encoded CA CRLs for
Remote Server Auth</description>
-<syntax>SSLProxyCARevocationFile <em>file-path</em></syntax>
+<syntax>SSLProxyCARevocationFile <var>file-path</var></syntax>
<contextlist><context>server config</context> <context>virtual host</context>
<context>proxy section</context></contextlist>
<compatibility>The proxy section context is allowed in httpd 2.4.30 and later</compatibility>
<directivesynopsis>
<name>SSLSessionTicketKeyFile</name>
<description>Persistent encryption/decryption key for TLS session tickets</description>
-<syntax>SSLSessionTicketKeyFile <em>file-path</em></syntax>
+<syntax>SSLSessionTicketKeyFile <var>file-path</var></syntax>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
<compatibility>Available in httpd 2.4.0 and later, if using OpenSSL 0.9.8h or later</compatibility>
projects / thirdparty / apache / httpd.git / commitdiff
