- Install Apache httpd with SSL/TLS support
sudo yum install -y httpd mod_ssl- Setup your SSL/TLS configuration as per the documentation.
Post-installation the
mod_sslpackage presents thessl.conffile below. Configure it with your custom directives and optionally rename it:
sudo mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/httpd-acm.confNOTE: A minimal TLS/SSL configuration example (as per documentation):
<VirtualHost *:443>
ServerName www.acm-httpd.example
SSLEngine on
SSLProtocol -all +TLSv1.2
SSLCertificateKeyFile ""
SSLCertificateFile ""
</VirtualHost>NOTE: The
SSLCertificateFileandSSLCertificateKeyFileentries must be present in the configuration enabled and at the beginning of the configuration line (as per defaultmod_sslssl.conf file). Thenitro-enclaves-acm.serviceshall scan the configuration file and update them with the correct pkcs#11 URIs after the token gets provisioned with the ACM certificate key.
- Setup ACM for Nitro Enclaves as per the documentation.
NOTE: Copy the default ACM for Nitro Enclaves httpd service configuration file example:
sudo mv /etc/nitro_enclaves/acm-httpd.example.yaml /etc/nitro_enclaves/acm.yaml-
Make sure that the
/etc/nitro_enclaves/acm.yamlfile contains theConfdirectivepathentry to point at your httpd SSL/TLS configuration file from step2above. After successfully starting thenitro-enclaves-acm.service, the enclave shall be up and running with a pkcs#11 token provisioned with a private key and the ACM certificate chain. -
Test that the server works as expected
curl --cacert path_to_pem_file --tlsv1.2 https://host_name_or_IPor
curl -k --tlsv1.2 https://host_name_or_IPNOTE: If you used a private certificate, you must add the host name to
/etc/hostsin the following format:127.0.0.1 host_name.