Overview 1: Get ready 2: Generate key 3: Configure server 4: Verify

AWS CloudHSM SSL/TLS offload on Linux using NGINX or Apache with OpenSSL

This topic provides step-by-step instructions for setting up SSL/TLS offload with AWS CloudHSM on a Linux web server.

Topics

Overview
Step 1: Set up the prerequisites
Step 2: Generate the private key and SSL/TLS certificate
Step 3: Configure the web server
Step 4: Enable HTTPS traffic and verify the certificate

Overview

On Linux, the NGINX and Apache HTTP Server web server software integrate with OpenSSL to support HTTPS. The AWS CloudHSM dynamic engine for OpenSSL provides an interface that enables the web server software to use the HSMs in your cluster for cryptographic offloading and key storage. The OpenSSL engine is the bridge that connects the web server to your AWS CloudHSM cluster.

To complete this tutorial, you must first choose whether to use the NGINX or Apache web server software on Linux. Then the tutorial shows you how to do the following:

Install the web server software on an Amazon EC2 instance.
Configure the web server software to support HTTPS with a private key stored in your AWS CloudHSM cluster.
(Optional) Use Amazon EC2 to create a second web server instance and Elastic Load Balancing to create a load balancer. Using a load balancer can increase performance by distributing the load across multiple servers. It can also provide redundancy and higher availability if one or more servers fail.

When you're ready to get started, go to Step 1: Set up the prerequisites.

Step 1: Set up the prerequisites

Different platforms require different prerequisites. Use the prerequisites section below that matches your platform.

Prerequisites for Client SDK 5

To set up web server SSL/TLS offload with Client SDK 5, you need the following:

An active AWS CloudHSM cluster with at least two hardware security modules (HSM)

Note
You can use a single HSM cluster, but you must first disable client key durability. For more information, see Manage Client Key Durability Settings and Client SDK 5 Configure Tool.
An Amazon EC2 instance running a Linux operating system with the following software installed:
- A web server (either NGINX or Apache)
- The OpenSSL Dynamic Engine for Client SDK 5
A crypto user (CU) to own and manage the web server's private key on the HSM.

To set up a Linux web server instance and create a CU on the HSM

Install and configure the OpenSSL Dynamic Engine for AWS CloudHSM. For more information about installing OpenSSL Dynamic Engine, see OpenSSL Dynamic Engine for Client SDK 5.
On an EC2 Linux instance that has access to your cluster, install either NGINX or Apache web server:
Amazon Linux
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd24 mod24_ssl
Amazon Linux 2
For information on how to download the latest version of NGINX on Amazon Linux 2, see the NGINX website.

The latest version of NGINX available for Amazon Linux 2 uses a version of OpenSSL that is newer than the system version of OpenSSL. After installing NGINX, you need to create a symbolic link from the AWS CloudHSM OpenSSL Dynamic Engine library to the location that this version of OpenSSL expects

$ sudo ln -sf /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so /usr/lib64/engines-1.1/cloudhsm.so

Apache

$ sudo yum install httpd mod_ssl
Amazon Linux 2023
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd mod_ssl
CentOS 7
For information on how to download the latest version of NGINX on CentOS 7, see the NGINX website.

The latest version of NGINX available for CentOS 7 uses a version of OpenSSL that is newer than the system version of OpenSSL. After installing NGINX, you need to create a symbolic link from the AWS CloudHSM OpenSSL Dynamic Engine library to the location that this version of OpenSSL expects

$ sudo ln -sf /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so /usr/lib64/engines-1.1/cloudhsm.so

Apache

$ sudo yum install httpd mod_ssl
Red Hat 7
For information on how to download the latest version of NGINX on Red Hat 7, see the NGINX website.

The latest version of NGINX available for Red Hat 7 uses a version of OpenSSL that is newer than the system version of OpenSSL. After installing NGINX, you need to create a symbolic link from the AWS CloudHSM OpenSSL Dynamic Engine library to the location that this version of OpenSSL expects

$ sudo ln -sf /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so /usr/lib64/engines-1.1/cloudhsm.so

Apache

$ sudo yum install httpd mod_ssl
CentOS 8
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd mod_ssl
Red Hat 8
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd mod_ssl
Ubuntu 18.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 20.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 22.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 24.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Use CloudHSM CLI to create a crypto user. For more information about managing HSM users, see Managing HSM users with CloudHSM CLI.

Tip
Keep track of the CU user name and password. You will need them later when you generate or import the HTTPS private key and certificate for your web server.

After you complete these steps, go to Step 2: Generate the private key and SSL/TLS certificate.

Notes

To use Security-Enhanced Linux (SELinux) and web servers, you must allow outbound TCP connections on port 2223, which is the port Client SDK 5 uses to communicate with the HSM.
To create and activate a cluster and give an EC2 instance access to the cluster, complete the steps in Getting Started with AWS CloudHSM. The getting started offers step-by-step instruction for creating an active cluster with one HSM and an Amazon EC2 client instance. You can use this client instance as your web server.
To avoid disabling client key durability, add more than one HSM to your cluster. For more information, see Adding an HSM to an AWS CloudHSM cluster.
To connect to your client instance, you can use SSH or PuTTY. For more information, see Connecting to Your Linux Instance Using SSH or Connecting to Your Linux Instance from Windows Using PuTTY in the Amazon EC2 documentation.

Step 2: Generate the private key and SSL/TLS certificate

To enable HTTPS, your web server application (NGINX or Apache) needs a private key and a corresponding SSL/TLS certificate. To use web server SSL/TLS offload with AWS CloudHSM, you must store the private key in an HSM in your AWS CloudHSM cluster. You will first generate a private key and use the key to create a certificate signing request (CSR). You then export a fake PEM private key from the HSM, which is a private key file in PEM format which contains a reference to the private key stored on the HSM (it's not the actual private key). Your web server uses the fake PEM private key file to identify the private key on the HSM during SSL/TLS offload.

Generate a private key and certificate

Generate a private key

This section shows you how to generate a keypair using the CloudHSM CLI. Once you have a key pair generated inside the HSM, you can export it as a fake PEM file and generate the corresponding certificate.

Install and configure the CloudHSM CLI

Install and Configure the CloudHSM CLI.
Use the following command to start the CloudHSM CLI.
```
$ /opt/cloudhsm/bin/cloudhsm-cli interactive
```
Run the following command to log in to the HSM. Replace <user name> with the user name of your crypto-user
```
Command: login --username <user name> --role crypto-user
```

Generate a Private Key

Depending on your use case, you can either generate an RSA or an EC key pair. Do one of the following:

To generate an RSA private key on an HSM

Use the key generate-asymmetric-pair rsa command to generate an RSA key pair. This example generates an RSA key pair with a modulus of 2048, a public exponent of 65537, public key label of tls_rsa_pub, and private key label of tls_rsa_private.


aws-cloudhsm > key generate-asymmetric-pair rsa \
--public-exponent 65537 \
--modulus-size-bits 2048 \
--public-label tls_rsa_pub \
--private-label tls_rsa_private
--private-attributes sign=true
{
  "error_code": 0,
  "data": {
    "public_key": {
      "key-reference": "0x0000000000280cc8",
      "key-info": {
        "key-owners": [
          {
            "username": "cu1",
            "key-coverage": "full"
          }
        ],
        "shared-users": [],
        "cluster-coverage": "full"
      },
      "attributes": {
        "key-type": "rsa",
        "label": "tls_rsa_pub",
        "id": "",
        "check-value": "0x01fe6e",
        "class": "public-key",
        "encrypt": true,
        "decrypt": false,
        "token": true,
        "always-sensitive": false,
        "derive": false,
        "destroyable": true,
        "extractable": true,
        "local": true,
        "modifiable": true,
        "never-extractable": false,
        "private": true,
        "sensitive": false,
        "sign": false,
        "trusted": false,
        "unwrap": false,
        "verify": false,
        "wrap": false,
        "wrap-with-trusted": false,
        "key-length-bytes": 512,
        "public-exponent": "0x010001",
        "modulus": "0xb1d27e857a876f4e9fd5de748a763c539b359f937eb4b4260e30d1435485a732c878cdad9c72538e2215351b1d41358c9bf80b599c
73a80fdb457aa7b20cd61e486c326e2cfd5e124a7f6a996437437812b542e3caf85928aa866f0298580f7967ee6aa01440297d7308fdd9b76b70d1b67f12634d
f6e6296d6c116d5744c6d60d14d3bf3cb978fe6b75ac67b7089bafd50d8687213b31abc7dc1bad422780d29c851d5102b56f932551eaf52a9591fd8c43d81ecc
133022653225bd129f8491101725e9ea33e1ded83fb57af35f847e532eb30cd7e726f23910d2671c6364092e834697ec3cef72cc23615a1ba7c5e100156ae0ac
ac3160f0ca9725d38318b7",
        "modulus-size-bits": 2048
      }
    },
    "private_key": {
      "key-reference": "0x0000000000280cc7",
      "key-info": {
        "key-owners": [
          {
            "username": "cu1",
            "key-coverage": "full"
          }
        ],
        "shared-users": [],
        "cluster-coverage": "full"
      },
      "attributes": {
        "key-type": "rsa",
        "label": "tls_rsa_private",
        "id": "",
        "check-value": "0x01fe6e",
        "class": "private-key",
        "encrypt": false,
        "decrypt": true,
        "token": true,
        "always-sensitive": true,
        "derive": false,
        "destroyable": true,
        "extractable": true,
        "local": true,
        "modifiable": true,
        "never-extractable": false,
        "private": true,
        "sensitive": true,
        "sign": true,
        "trusted": false,
        "unwrap": false,
        "verify": false,
        "wrap": false,
        "wrap-with-trusted": false,
        "key-length-bytes": 1217,
        "public-exponent": "0x010001",
        "modulus": "0xb1d27e857a876f4e9fd5de748a763c539b359f937eb4b4260e30d1435485a732c878cdad9c72538e2215351b1d41358c9bf80b599c73a80fdb457aa7b20cd61e486c326e2cfd5e124a7f6a996437437812b542e3caf85928aa866f0298580f7967ee6aa01440297d7308fdd9b76b70d1b67f12634df6e6296d6c116d5744c6d60d14d3bf3cb978fe6b75ac67b7089bafd50d8687213b31abc7dc1bad422780d29c851d5102b56f932551eaf52a9591fd8c43d81ecc133022653225bd129f8491101725e9ea33e1ded83fb57af35f847e532eb30cd7e726f23910d2671c6364092e834697ec3cef72cc23615a1ba7c5e100156ae0acac3160f0ca9725d38318b7",
        "modulus-size-bits": 2048
      }
    }
  }
}

To generate an EC private key on an HSM

Use the key generate-asymmetric-pair ec command to generate an EC key pair. This example generates an EC key pair with the prime256v1 curve (corresponding to the NID_X9_62_prime256v1 curve), a public key label of tls_ec_pub, and a private key label of tls_ec_private.


aws-cloudhsm > key generate-asymmetric-pair ec \
    --curve prime256v1 \
    --public-label tls_ec_pub \
    --private-label tls_ec_private
    --private-attributes sign=true
{
  "error_code": 0,
  "data": {
    "public_key": {
      "key-reference": "0x000000000012000b",
      "key-info": {
        "key-owners": [
          {
            "username": "cu1",
            "key-coverage": "full"
          }
        ],
        "shared-users": [],
        "cluster-coverage": "session"
      },
      "attributes": {
        "key-type": "ec",
        "label": "tls_ec_pub",
        "id": "",
        "check-value": "0xd7c1a7",
        "class": "public-key",
        "encrypt": false,
        "decrypt": false,
        "token": false,
        "always-sensitive": false,
        "derive": false,
        "destroyable": true,
        "extractable": true,
        "local": true,
        "modifiable": true,
        "never-extractable": false,
        "private": true,
        "sensitive": false,
        "sign": false,
        "trusted": false,
        "unwrap": false,
        "verify": false,
        "wrap": false,
        "wrap-with-trusted": false,
        "key-length-bytes": 57,
        "ec-point": "0x047096513df542250a6b228fd9cb67fd0c903abc93488467681974d6f371083fce1d79da8ad1e9ede745fb9f38ac8622a1b3ebe9270556000c",
        "curve": "secp224r1"
      }
    },
"private_key": {
      "key-reference": "0x000000000012000c",
      "key-info": {
        "key-owners": [
          {
            "username": "cu1",
            "key-coverage": "full"
          }
        ],
        "shared-users": [],
        "cluster-coverage": "session"
      },
      "attributes": {
        "key-type": "ec",
        "label": "tls_ec_private",
        "id": "",
        "check-value": "0xd7c1a7",
        "class": "private-key",
        "encrypt": false,
        "decrypt": false,
        "token": false,
        "always-sensitive": true,
        "derive": false,
        "destroyable": true,
        "extractable": true,
        "local": true,
        "modifiable": true,
        "never-extractable": false,
        "private": true,
        "sensitive": true,
        "sign": true,
        "trusted": false,
        "unwrap": false,
        "verify": false,
        "wrap": false,
        "wrap-with-trusted": false,
        "key-length-bytes": 122,
        "ec-point": "0x047096513df542250a6b228fd9cb67fd0c903abc93488467681974d6f371083fce1d79da8ad1e9ede745fb9f38ac8622a1b3ebe9270556000c",
        "curve": "secp224r1"
      }
    }
  }
}

Export a fake PEM private key file

Once you have a private key on the HSM, you must export a fake PEM private key file. This file does not contain the actual key data, but it allows the OpenSSL Dynamic Engine to identify the private key on the HSM. You can then you use the private key to create a certificate signing request (CSR) and sign the CSR to create the certificate.

Use the key generate-file command to export the private key in fake PEM format and save it to a file. Replace the following values with your own.

<private_key_label> – Label of the private key you generated in the previous step.
<web_server_fake_pem.key> – Name of the file that your fake PEM key will be written to.


aws-cloudhsm > key generate-file --encoding reference-pem --path <web_server_fake_pem.key> --filter attr.label=<private_key_label>
{
  "error_code": 0,
  "data": {
    "message": "Successfully generated key file"
  }
}

Exit the CloudHSM CLI

Run the following command to stop the CloudHSM CLI.


aws-cloudhsm > quit

You should now have a new file on your system, located at the path specified by <web_server_fake_pem.key> in the preceding command. This file is the fake PEM private key file.

Generate a self-signed certificate

Once you have generated a fake PEM private key, you can use this file to generate a certificate signing request (CSR) and certificate.

In a production environment, you typically use a certificate authority (CA) to create a certificate from a CSR. A CA is not necessary for a test environment. If you do use a CA, send the CSR file to them and use signed SSL/TLS certificate that they provide you in your web server for HTTPS.

As an alternative to using a CA, you can use the AWS CloudHSM OpenSSL Dynamic Engine to create a self-signed certificate. Self-signed certificates are not trusted by browsers and should not be used in production environments. They can be used in test environments.

Warning

Self-signed certificates should be used in a test environment only. For a production environment, use a more secure method such as a certificate authority to create a certificate.

Install and configure the OpenSSL Dynamic Engine

Connect to your client instance.
Install the OpenSSL Dynamic Engine for AWS CloudHSM Client SDK 5

Generate a certificate

Obtain a copy of your fake PEM file generated in an earlier step.
Create a CSR

Run the following command to use the AWS CloudHSM OpenSSL Dynamic Engine to create a certificate signing request (CSR). Replace <web_server_fake_pem.key> with the name of the file that contains your fake PEM private key. Replace <web_server.csr> with the name of the file that contains your CSR.

The req command is interactive. Respond to each field. The field information is copied into your SSL/TLS certificate.
```
$ openssl req -engine cloudhsm -new -key <web_server_fake_pem.key> -out <web_server.csr>
```
Create a self-signed certificate

Run the following command to use the AWS CloudHSM OpenSSL Dynamic Engine to sign your CSR with your private key on your HSM. This creates a self-signed certificate. Replace the following values in the command with your own.
- <web_server.csr> – Name of the file that contains the CSR.
- <web_server_fake_pem.key> – Name of the file that contains the fake PEM private key.
- <web_server.crt> – Name of the file that will contain your web server certificate.
```
$ openssl x509 -engine cloudhsm -req -days 365 -in <web_server.csr> -signkey <web_server_fake_pem.key> -out <web_server.crt>
```

After you complete these steps, go to Step 3: Configure the web server.

Step 3: Configure the web server

Update your web server software's configuration to use the HTTPS certificate and corresponding fake PEM private key that you created in the previous step. Remember to backup your existing certificates and keys before you start. This will finish setting up your Linux web server software for SSL/TLS offload with AWS CloudHSM.

Complete the steps from one of the following sections.

Configure NGINX web server

Use this section to configure NGINX on supported platforms.

To update the web server configuration for NGINX

Connect to your client instance.
Run the following command to create the required directories for the web server certificate and the fake PEM private key.
```
$ sudo mkdir -p /etc/pki/nginx/private
```
Run the following command to copy your web server certificate to the required location. Replace <web_server.crt> with the name of your web server certificate.
```
$ sudo cp <web_server.crt> /etc/pki/nginx/server.crt
```
Run the following command to copy your fake PEM private key to the required location. Replace <web_server_fake_pem.key> with the name of the file that contains your fake PEM private key.
```
$ sudo cp <web_server_example_pem.key> /etc/pki/nginx/private/server.key
```
Run the following command to change the file ownership so that the user named nginx can read them.
```
$ sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key
```
Run the following command to back up the /etc/nginx/nginx.conf file.
```
$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
```

Update the NGINX configuration.