From: Joe Orton Date: Wed, 19 Feb 2020 17:04:21 +0000 (+0000) Subject: Sync PKCS#11 docs from trunk. [skip ci] X-Git-Tag: 2.4.42~77 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fec6fd9f68486fdf71671a111d957787b8982d60;p=thirdparty%2Fapache%2Fhttpd.git Sync PKCS#11 docs from trunk. [skip ci] git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1874201 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 9ba6069454a..51d9d7a67b7 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -895,15 +895,16 @@ SSLCipherSuite RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW SSLCertificateFile -Server PEM-encoded X.509 certificate data file -SSLCertificateFile file-path +Server PEM-encoded X.509 certificate data file or token identifier +SSLCertificateFile file-path|certid server config virtual host +certid available in 2.5.1 and later.

-This directive points to a file with certificate data in PEM format. -At a minimum, the file must include an end-entity (leaf) certificate. +This directive points to a file with certificate data in PEM format, or the certificate identifier through a configured cryptographic token. +If using a PEM file, at minimum, the file must include an end-entity (leaf) certificate. The directive can be used multiple times (referencing different filenames) to support multiple algorithms for server authentication - typically RSA, DSA, and ECC. The number of supported algorithms depends on the @@ -944,6 +945,17 @@ after the certificates using a separate key file. If the private key is encrypted, the pass phrase dialog is forced at startup time.

+

As an alternative to storing certificates and private keys in +files, a certificate identifier can be used to identify a certificate +stored in a token. Currently, only PKCS#11 URIs are +recognized as certificate identifiers, and can be used in conjunction +with the OpenSSL pkcs11 engine. If SSLCertificateKeyFile is omitted, the +certificate and private key can be loaded through the single +identifier specified with SSLCertificateFile.

+ DH parameter interoperability with primes > 1024 bit

@@ -989,7 +1001,10 @@ thus using a custom/suitable length. Example +# Example using a PEM-encoded file. SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" +# Example use of a certificate and private key from a PKCS#11 token: +SSLCertificateFile "pkcs11:token=My%20Token%20Name;id=45" @@ -998,15 +1013,17 @@ SSLCertificateFile "/usr/local/apache2/conf/ssl.crt/server.crt" SSLCertificateKeyFile Server PEM-encoded private key file -SSLCertificateKeyFile file-path +SSLCertificateKeyFile file-path|keyid server config virtual host +keyid available in 2.5.1 and later.

This directive points to the PEM-encoded private key file for the -server. If the contained private key is encrypted, the pass phrase -dialog is forced at startup time.

+server, or the key ID through a configured cryptographic token. If the +contained private key is encrypted, the pass phrase dialog is forced +at startup time.

The directive can be used multiple times (referencing different filenames) @@ -1022,9 +1039,18 @@ is highly discouraged. If it is used, the certificate files using such an embedded key must be configured after the certificates using a separate key file.

+

As an alternative to storing private keys in files, a key +identifier can be used to identify a private key stored in a +token. Currently, only PKCS#11 URIs are recognized as private key +identifiers, and can be used in conjunction with the OpenSSL +pkcs11 engine.

+ Example +# To use a private key from a PEM-encoded file: SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key" +# To use a private key from a PKCS#11 token: +SSLCertificateKeyFile "pkcs11:token=My%20Token%20Name;id=45" @@ -1033,7 +1059,7 @@ SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key" SSLCertificateChainFile File of PEM-encoded Server CA Certificates -SSLCertificateChainFile file-path +SSLCertificateChainFile file-path server config virtual host @@ -1109,7 +1135,7 @@ SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt/" SSLCACertificateFile File of concatenated PEM-encoded CA Certificates for Client Auth -SSLCACertificateFile file-path +SSLCACertificateFile file-path server config virtual host @@ -1133,7 +1159,7 @@ SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt" SSLCADNRequestFile File of concatenated PEM-encoded CA Certificates for defining acceptable CA names -SSLCADNRequestFile file-path +SSLCADNRequestFile file-path server config virtual host @@ -1236,7 +1262,7 @@ SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl/" SSLCARevocationFile File of concatenated PEM-encoded CA CRLs for Client Auth -SSLCARevocationFile file-path +SSLCARevocationFile file-path server config virtual host @@ -1393,7 +1419,7 @@ SSLVerifyDepth 10 SSLSRPVerifierFile Path to SRP verifier file -SSLSRPVerifierFile file-path +SSLSRPVerifierFile file-path server config virtual host Available in httpd 2.4.4 and later, if using OpenSSL 1.0.1 or @@ -2164,7 +2190,7 @@ SSLProxyCACertificatePath "/usr/local/apache2/conf/ssl.crt/" SSLProxyCACertificateFile File of concatenated PEM-encoded CA Certificates for Remote Server Auth -SSLProxyCACertificateFile file-path +SSLProxyCACertificateFile file-path server config virtual host proxy section The proxy section context is allowed in httpd 2.4.30 and later @@ -2217,7 +2243,7 @@ SSLProxyCARevocationPath "/usr/local/apache2/conf/ssl.crl/" SSLProxyCARevocationFile File of concatenated PEM-encoded CA CRLs for Remote Server Auth -SSLProxyCARevocationFile file-path +SSLProxyCARevocationFile file-path server config virtual host proxy section The proxy section context is allowed in httpd 2.4.30 and later @@ -2768,7 +2794,7 @@ One potential use is when a proxy is used for retrieving OCSP queries.

SSLSessionTicketKeyFile Persistent encryption/decryption key for TLS session tickets -SSLSessionTicketKeyFile file-path +SSLSessionTicketKeyFile file-path server config virtual host Available in httpd 2.4.0 and later, if using OpenSSL 0.9.8h or later