I have problem with mod_ssl exactly with SSLCryptoDevice directive. When I run command "openssl engine" returns all available engines including pkcs11 (libengine-pkcs11-openssl), but When I set SSLCryptoDevice pkcs11 in mod_ssl configuration and I try to start Apache, returns error "SSLCryptoDevice: Invalid argument; must be one of:" but now engine pkcs11 isn't listed. In openssl works well.
Some system info: Debian 8 x64, OpenSSL 1.0.1k, Apache 2.4.10
Apache start error: http://pastebin.com/b4GLaSHL
OpenSSL engines: http://pastebin.com/kXNYG2Yw
Best Answer
PKCS#11
support isn't native inmod_ssl
. See:https://bz.apache.org/bugzilla/show_bug.cgi?id=42687
https://bz.apache.org/bugzilla/show_bug.cgi?id=42688
https://bz.apache.org/bugzilla/show_bug.cgi?id=52473
You can try apply this patchs, but these is not suitable for production use.
Another alternative is you use mod_nss.
mod_nss
uses NSS as the crypto library instead of OpenSSL and supportsPKCS#11
.