Using SmartKey for Apache web server TLS keys

Updated: May 31, 2017

Overview

Apache web server is a popular open-source HTTP server. SmartKey™ can be used to protect the TLS private key for your Apache web server, keeping the private key secure even if the host running the Apache web server is compromised.

This page describes how to set up your Apache web server to use a TLS private key stored in SmartKey™. To get started quickly, you can use a Fortanix-provided docker image. Retrieve the image by running docker pull fortanix/sdkms-apache.

Obtaining a TLS key and certificate

The Managing SmartKey Keys With OpenSSL article describes several ways of generating or importing a TLS key and certificate. If you aren’t sure which flow to use and just want to test things out, you can use the section titled “Generating a TLS key and self-signed certificate”

Installing the TLS key and certificate

Create a file docker.env to configure the container. In the template below, change the API key and the key and certificate labels. The the PKCS11 label and SmartKey security object description are the same. You can obtain this either from the commands you used to import the key, or from the web interface in the security object detail view.

The API key is sensitive, so for production deployments, this file should be protected appropriately.

FORTANIX_API_ENDPOINT=https://www.smartkey.io
FORTANIX_API_KEY=<API key from web UI>
FORTANIX_PKCS11_LIBRARY=/usr/lib/x86_64-linux-gnu/pkcs11/fortanix-sdkms-pkcs11.so
FORTANIX_CERTIFICATE_LABEL=<label of certificate>

Running the container

Run the container with:

docker run -p 8443:443 --env-file docker.env fortanix/sdkms-apache

And open https://localhost:8443 in your browser. If you used a self-signed certificate, your browser will display a certificate warning, but regardless, the server’s private key is now protected by SmartKey™.