Create a self-signed certificate with OpenSSL

Generate a self-signed certificate with the Cloud KMS-hostedsigning key. You can use OpenSSL to use a PKCS #11 URI instead of a file pathand identify the key by its label. In the Cloud KMS PKCS #11library, the key label is the CryptoKey name.

openssl req -new -x509 -days 3650 -subj '/CN=CERTIFICATE_NAME/' \DIGEST_FLAG -engine pkcs11 -keyform engine \  -keyPKCS_KEY_TYPE=KEY_IDENTIFIER >PATH_TO_CERTIFICATE

Replace the following:

• CERTIFICATE_NAME: a name for the certificate.
• DIGEST_FLAG: the digest algorithm used by the asymmetric signingkey. Use-sha256,-sha384, or-sha512 depending on the key.
• PKCS_KEY_TYPE: the type of identifier used to identify the key.To use the latest key version, usepkcs11:object with the key's name. Touse a specific key version, usepkcs11:id with the full resource ID of thekey version.
• KEY_IDENTIFIER: an identifier for the key. If you're usingpkcs11:object, use the key's name—for example,KEY_NAME.If you're usingpkcs11:id, use the full resource ID of the key or keyversion—for example,projects/PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME/cryptoKeyVersions/KEY_VERSION.
• PATH_TO_CERTIFICATE: the path where you want to save the certificatefile.

If this command fails,PKCS11_MODULE_PATH might have been set incorrectly, oryou might not have the right permissions to use the Cloud KMSsigning key.

You should now have a certificate that looks like this:

-----BEGIN CERTIFICATE-----.........-----END CERTIFICATE-----

Set up the Apache server

1. Create a directory in/etc/apache2 to store your self-signedcertificate in:

   sudo mkdir /etc/apache2/sslsudo mv ca.cert /etc/apache2/ssl

2. Edit the000-default.conf virtual host configuration files located in/etc/apache2/sites-available to provide the certificate file path andensure that the SSLEngine is on.

   Here is a sample configuration listening on port 443:

   <VirtualHost*:443>ServerAdminwebmaster@localhostDocumentRoot/var/www/htmlErrorLog${APACHE_LOG_DIR}/error.logCustomLog${APACHE_LOG_DIR}/access.logcombinedSSLEngineonSSLCertificateFile/etc/apache2/ssl/ca.certSSLCertificateKeyFile"PKCS_KEY_TYPE=KEY_IDENTIFIER"</VirtualHost>

3. Ensure Apache exports the environment variables correctly by adding them tothe/etc/apache2/envvars file using your text editor of choice. You mightneed to edit the file as root usingsudo. Add the following lines to theend of the file:

   exportPKCS11_MODULE_PATH="<var>PATH_TO_LIBKMSP11</var>"exportKMS_PKCS11_CONFIG="<var>PATH_TO_PKCS11_CONFIG</var>"exportGRPC_ENABLE_FORK_SUPPORT=1

   Replace the following:

   • PATH_TO_LIBKMSP11: the path tolibkmsp11.so.
   • PATH_TO_PKCS11_CONFIG: the path topkcs11-config.yaml.

   GRPC_ENABLE_FORK_SUPPORT is needed for gRPC to include fork support andcorrectly run the Cloud KMS PKCS #11 library as part of the Apacheserver.

   If you want to authenticate using a service account key, you must alsoexport a value for theGOOGLE_APPLICATION_CREDENTIALS environmentvariable.

Run your server

Enable the Apache SSL module, enable the virtualhost configuration, and add atest web page in your DocumentRoot folder:

sudoa2enmodsslsudoa2ensite000-default.confecho'<!doctype html><html><body><h1>Hello World!</h1></body></html>'|\sudotee/var/www/html/index.html

Restart your Apache server and test withcurl that the configuration works asexpected. The--insecure flag is needed to ignore self-signed certificatechecks.

sudo systemctl restart apache2curl -v --insecure https://127.0.0.1

If you encounter any errors, the Apache error log is a good starting place tosee what went wrong. Authentication issues are a common source of errors. If youseePERMISSION_DENIED errors, make sure that you are fully authenticated andthat the credentials file has the right permissions. To make sure you are fullyauthenticated, run the following command:

gcloudauthapplication-defaultlogin

To confirm that authentication was successful, the output should include thelineCredentials saved to file: [/path/to/credentials.json].