PKCS7 Certificate Module

Return the CA certificate or next CA certificate as a PKCS7 response.

What does it do?

Based on configuration of the backend modules, the CA certificate or the next CA certificate is returned as a DER or PEM encoded degenerate PKCS7 as per RFC2315.

Module Integration

The mod_pkcs7 module is a frontend module and will not do anything useful until mod_pkcs7 has been combined with one or more backend modules listed below. The mod_pkcs7 module uses the following hooks to get the CA certificate and next CA certificate, and suitable backend modules must be configured to implement each hook as needed.

All frontend modules run within a standard Apache httpd request, and standard httpd functionality applies in all cases.

Get CA Certificate Hook

This hook returns CA certificates for the given CA.

mod_ca_engine Returns CA certificates that would sign certificate sign requests by an HSM such as a smartcard.
mod_ca_simple Returns CA certificates that would sign certificate sign requests by a certificate and key specified on disk.

Get Next CA Certificate Hook

This hook returns certificates that were requested previously and generated at a possibly later date or time.

mod_ca_engine Returns the upcoming next CA certificates that would sign certificate sign requests by an HSM such as a smartcard.
mod_ca_simple Returns the upcoming next CA certificates that would sign certificate sign requests by a certificate and key specified on disk.

Examples

Basic Example

The simplest case: return the CA certificate and the next CA certificate to anybody who wants it.


  # return these certificates
  CASimpleCertificate /etc/pki/tls/ca-cert.pem
  CASimpleNextCertificate /etc/pki/tls/ca-cert-next.pem


# frontend configuration:

  
    SetHandler pkcs7-ca
  
  
    SetHandler pkcs7-nextca
  

]]>

Handler Reference

The following parameters to the SetHandler directive are supported.

pkcs7-ca Handler

After calling the getca hook return the CA certificate as a DER or PEM encoded degenerate PKCS7 certificate bundle.

pkcs7-nextca Handler

After calling the getnextca hook return the next CA certificate as a DEM or PEN encoded degenerate PKCS7 certificate bundle.

Directive Reference

Pkcs7Freshness Directive

Description The max-age of the certificate will be divided by this factor.
Syntax Pkcs7Freshness factor [max-seconds]
Default Pkcs7Freshness 2 86400
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_pkcs7
Compatibility Introduced in mod_pkcs7 0.2.0 and works with Apache HTTP Server 2.4.0 and later

The age of the certificate will be divided by this factor when added as a max-age, set to zero to disable. Defaults to "2". An optional maximum value can be specified, defaults to one day.

Pkcs7Location Directive

Description Set the URL location of the WADL returned by the OPTIONS method.
Syntax Pkcs7Location url
Default Pkcs7Location [current-URL]
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_pkcs7
Compatibility Introduced in mod_pkcs7 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the URL location of the WADL returned by the OPTIONS method.

Pkcs7Encoding Directive

Description Set to the default encoding to be returned if not specified.
Syntax Pkcs7Encoding encoding
Default Pkcs7Encoding der
Context server config, virtual host, directory, .htaccess
Status Frontend
Module mod_pkcs7
Compatibility Introduced in mod_pkcs7 0.2.0 and works with Apache HTTP Server 2.4.0 and later

Set the default encoding to be returned if not specified. Must be one of "pem", "x-pem" or "der".