Overview 1: Get ready 2: Generate key 3: Configure server 4: Verify

AWS CloudHSM SSL/TLS offload on Linux using NGINX or Apache with OpenSSL

This topic provides step-by-step instructions for setting up SSL/TLS offload with AWS CloudHSM on a Linux web server.

Topics

Overview
Step 1: Set up the prerequisites
Step 2: Generate or import a private key and SSL/TLS certificate
Step 3: Configure the web server
Step 4: Enable HTTPS traffic and verify the certificate

Overview

On Linux, the NGINX and Apache HTTP Server web server software integrate with OpenSSL to support HTTPS. The AWS CloudHSM dynamic engine for OpenSSL provides an interface that enables the web server software to use the HSMs in your cluster for cryptographic offloading and key storage. The OpenSSL engine is the bridge that connects the web server to your AWS CloudHSM cluster.

To complete this tutorial, you must first choose whether to use the NGINX or Apache web server software on Linux. Then the tutorial shows you how to do the following:

Install the web server software on an Amazon EC2 instance.
Configure the web server software to support HTTPS with a private key stored in your AWS CloudHSM cluster.
(Optional) Use Amazon EC2 to create a second web server instance and Elastic Load Balancing to create a load balancer. Using a load balancer can increase performance by distributing the load across multiple servers. It can also provide redundancy and higher availability if one or more servers fail.

When you're ready to get started, go to Step 1: Set up the prerequisites.

Step 1: Set up the prerequisites

Different platforms require different prerequisites. Use the prerequisites section below that matches your platform.

Prerequisites for Client SDK 5

To set up web server SSL/TLS offload with Client SDK 5, you need the following:

An active AWS CloudHSM cluster with at least two hardware security modules (HSM)

Note
You can use a single HSM cluster, but you must first disable client key durability. For more information, see Manage Client Key Durability Settings and Client SDK 5 Configure Tool.
An Amazon EC2 instance running a Linux operating system with the following software installed:
- A web server (either NGINX or Apache)
- The OpenSSL Dynamic Engine for Client SDK 5
A crypto user (CU) to own and manage the web server's private key on the HSM.

To set up a Linux web server instance and create a CU on the HSM

Install and configure the OpenSSL Dynamic Engine for AWS CloudHSM. For more information about installing OpenSSL Dynamic Engine, see OpenSSL Dynamic Engine for Client SDK 5.
On an EC2 Linux instance that has access to your cluster, install either NGINX or Apache web server:
Amazon Linux
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd24 mod24_ssl
Amazon Linux 2
For information on how to download the latest version of NGINX on Amazon Linux 2, see the NGINX website.

The latest version of NGINX available for Amazon Linux 2 uses a version of OpenSSL that is newer than the system version of OpenSSL. After installing NGINX, you need to create a symbolic link from the AWS CloudHSM OpenSSL Dynamic Engine library to the location that this version of OpenSSL expects

$ sudo ln -sf /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so /usr/lib64/engines-1.1/cloudhsm.so

Apache

$ sudo yum install httpd mod_ssl
Amazon Linux 2023
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd mod_ssl
CentOS 7
For information on how to download the latest version of NGINX on CentOS 7, see the NGINX website.

The latest version of NGINX available for CentOS 7 uses a version of OpenSSL that is newer than the system version of OpenSSL. After installing NGINX, you need to create a symbolic link from the AWS CloudHSM OpenSSL Dynamic Engine library to the location that this version of OpenSSL expects

$ sudo ln -sf /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so /usr/lib64/engines-1.1/cloudhsm.so

Apache

$ sudo yum install httpd mod_ssl
Red Hat 7
For information on how to download the latest version of NGINX on Red Hat 7, see the NGINX website.

The latest version of NGINX available for Red Hat 7 uses a version of OpenSSL that is newer than the system version of OpenSSL. After installing NGINX, you need to create a symbolic link from the AWS CloudHSM OpenSSL Dynamic Engine library to the location that this version of OpenSSL expects

$ sudo ln -sf /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so /usr/lib64/engines-1.1/cloudhsm.so

Apache

$ sudo yum install httpd mod_ssl
CentOS 8
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd mod_ssl
Red Hat 8
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd mod_ssl
Ubuntu 18.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 20.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 22.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 24.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Use CloudHSM CLI to create a CU. For more information about managing HSM users, see Managing HSM users with CloudHSM CLI.

Tip
Keep track of the CU user name and password. You will need them later when you generate or import the HTTPS private key and certificate for your web server.

After you complete these steps, go to Step 2: Generate or import a private key and SSL/TLS certificate.

Notes

To use Security-Enhanced Linux (SELinux) and web servers, you must allow outbound TCP connections on port 2223, which is the port Client SDK 5 uses to communicate with the HSM.
To create and activate a cluster and give an EC2 instance access to the cluster, complete the steps in Getting Started with AWS CloudHSM. The getting started offers step-by-step instruction for creating an active cluster with one HSM and an Amazon EC2 client instance. You can use this client instance as your web server.
To avoid disabling client key durability, add more than one HSM to your cluster. For more information, see Adding an HSM to an AWS CloudHSM cluster.
To connect to your client instance, you can use SSH or PuTTY. For more information, see Connecting to Your Linux Instance Using SSH or Connecting to Your Linux Instance from Windows Using PuTTY in the Amazon EC2 documentation.

Prerequisites for Client SDK 3

To set up web server SSL/TLS offload with Client SDK 3, you need the following:

An active AWS CloudHSM cluster with at least one HSM.
An Amazon EC2 instance running a Linux operating system with the following software installed:
- The AWS CloudHSM client and command line tools.
- The NGINX or Apache web server application.
- The AWS CloudHSM dynamic engine for OpenSSL.
A crypto user (CU) to own and manage the web server's private key on the HSM.

To set up a Linux web server instance and create a CU on the HSM

Complete the steps in Getting started. You will then have an active cluster with one HSM and an Amazon EC2 client instance. Your EC2 instance will be configured with the command line tools. Use this client instance as your web server.
Connect to your client instance. For more information, see Connecting to Your Linux Instance Using SSH or Connecting to Your Linux Instance from Windows Using PuTTY in the Amazon EC2 documentation.
On an EC2 Linux instance that has access to your cluster, install either NGINX or Apache web server:
Amazon Linux
NGINX

$ sudo yum install nginx

Apache

$ sudo yum install httpd24 mod24_ssl
Amazon Linux 2
NGINX version 1.19 is the latest version of NGINX compatible with the Client SDK 3 engine on Amazon Linux 2.

For more information and to download NGINX version 1.19, see the NGINX website.

Apache

$ sudo yum install httpd mod_ssl
CentOS 7
NGINX version 1.19 is the latest version of NGINX compatible with the Client SDK 3 engine on CentOS 7.

For more information and to download NGINX version 1.19, see the NGINX website.

Apache

$ sudo yum install httpd mod_ssl
Red Hat 7
NGINX version 1.19 is the latest version of NGINX compatible with the Client SDK 3 engine on Red Hat 7.

For more information and to download NGINX version 1.19, see the NGINX website.

Apache

$ sudo yum install httpd mod_ssl
Ubuntu 16.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
Ubuntu 18.04
NGINX

$ sudo apt install nginx

Apache

$ sudo apt install apache2
(Optional) Add more HSMs to your cluster. For more information, see Adding an HSM to an AWS CloudHSM cluster.
Use cloudhsm_mgmt_util to create a CU. For more information, see HSM users. Keep track of the CU user name and password. You will need them later when you generate or import the HTTPS private key and certificate for your web server.

After you complete these steps, go to Step 2: Generate or import a private key and SSL/TLS certificate.

Step 2: Generate or import a private key and SSL/TLS certificate

To enable HTTPS, your web server application (NGINX or Apache) needs a private key and a corresponding SSL/TLS certificate. To use web server SSL/TLS offload with AWS CloudHSM, you must store the private key in an HSM in your AWS CloudHSM cluster. You can accomplish this in one of the following ways:

If you don't yet have a private key and a corresponding certificate, generate a private key in an HSM. You use the private key to create a certificate signing request (CSR), which you use to create the SSL/TLS certificate.
If you already have a private key and corresponding certificate, import the private key into an HSM.

Regardless of which of the preceding methods you choose, you export a fake PEM private key from the HSM, which is a private key file in PEM format which contains a reference to the private key stored on the HSM (it's not the actual private key). Your web server uses the fake PEM private key file to identify the private key on the HSM during SSL/TLS offload.

Do one of the following:

Generate a private key and certificate
Import an existing private key and certificate

Generate a private key and certificate

Generate a private key

This section shows you how to generate a key pair using the Key Management Utility (KMU) from Client SDK 3. Once you have a key pair generated inside the HSM, you can export it as a fake PEM file, and generate the corresponding certificate.

Private keys generated with the Key Management Utility (KMU) can be used with both Client SDK 3 and Client SDK 5.

Install and configure the Key Management Utility (KMU)

Connect to your client instance.
Install and Configure Client SDK 3.

Run the following command to start the AWS CloudHSM client.

Run the following command to start the key_mgmt_util command line tool.
```
$ /opt/cloudhsm/bin/key_mgmt_util
```
Run the following command to log in to the HSM. Replace <user name> and <password> with the user name and password of the cryptographic user (CU).
```
Command: loginHSM -u CU -s <user name> -p <password>>
```

Generate a Private Key

Depending on your use case, you can either generate an RSA or an EC key pair. Do one of the following:

To generate an RSA private key on an HSM

Use the genRSAKeyPair command to generate an RSA key pair. This example generates an RSA key pair with a modulus of 2048, a public exponent of 65537, and a label of tls_rsa_keypair.
```
Command: genRSAKeyPair -m 2048 -e 65537 -l tls_rsa_keypair
```
If the command was successful, you should see the following output indicating that you've successfully generated an RSA key pair.
```
Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS

                Cfm3GenerateKeyPair:    public key handle: 7    private key handle: 8

                Cluster Status:
                Node id 1 status: 0x00000000 : HSM Return: SUCCESS
```
To generate an EC private key on an HSM

Use the genECCKeyPair command to generate an EC key pair. This example generates an EC key pair with a curve ID of 2 (corresponding to the NID_X9_62_prime256v1 curve) and a label of tls_ec_keypair.
```
Command: genECCKeyPair -i 2 -l tls_ec_keypair
```
If the command was successful, you should see the following output indicating that you've successfully generated an EC key pair.
```
Cfm3GenerateKeyPair returned: 0x00 : HSM Return: SUCCESS    

                Cfm3GenerateKeyPair:    public key handle: 7    private key handle: 8

                Cluster Status:
                Node id 1 status: 0x00000000 : HSM Return: SUCCESS
```

Export a fake PEM private key file

Once you have a private key on the HSM, you must export a fake PEM private key file. This file does not contain the actual key data, but it allows the OpenSSL Dynamic Engine to identify the private key on the HSM. You can then you use the private key to create a certificate signing request (CSR) and sign the CSR to create the certificate.

Note

fake PEM files generated with the Key Management Utility (KMU) can be used with both Client SDK 3 and Client SDK 5.

Identify the key handle that corresponds to the key that you would like to export as a fake PEM, then run the following command to export the private key in fake PEM format and save it to a file. Replace the following values with your own.

<private_key_handle> – Handle of the generated private key. This handle was generated by one of the key generation commands in the preceding step. In the preceding example, the handle of the private key is 8.
<web_server_example_PEM.key> – Name of the file that your fake PEM key will be written to.


Command: getCaviumPrivKey -k <private_key_handle> -out <web_server_example_PEM.key>

Exit

Run the following command to stop the key_mgmt_util.


Command: exit

You should now have a new file on your system, located at the path specified by <web_server_example_PEM.key> in the preceding command. This file is the fake PEM private key file.

Generate a self-signed certificate

Once you have generated a fake PEM private key, you can use this file to generate a certificate signing request (CSR) and certificate.

In a production environment, you typically use a certificate authority (CA) to create a certificate from a CSR. A CA is not necessary for a test environment. If you do use a CA, send the CSR file to them and use signed SSL/TLS certificate that they provide you in your web server for HTTPS.

As an alternative to using a CA, you can use the AWS CloudHSM OpenSSL Dynamic Engine to create a self-signed certificate. Self-signed certificates are not trusted by browsers and should not be used in production environments. They can be used in test environments.

Warning

Self-signed certificates should be used in a test environment only. For a production environment, use a more secure method such as a certificate authority to create a certificate.

Install and configure the OpenSSL Dynamic Engine

Connect to your client instance.
To install and configure, do one of the following:
- Install the OpenSSL Dynamic Engine for AWS CloudHSM Client SDK 5
- OpenSSL Dynamic Engine for AWS CloudHSM Client SDK 3

Generate a certificate

Obtain a copy of your fake PEM file generated in an earlier step.
Create a CSR

Run the following command to use the AWS CloudHSM OpenSSL Dynamic Engine to create a certificate signing request (CSR). Replace <web_server_example_PEM.key> with the name of the file that contains your fake PEM private key. Replace <web_server.csr> with the name of the file that contains your CSR.

The req command is interactive. Respond to each field. The field information is copied into your SSL/TLS certificate.
```
$ openssl req -engine cloudhsm -new -key <web_server_example_PEM.key> -out <web_server.csr>
```
Create a self-signed certificate

Run the following command to use the AWS CloudHSM OpenSSL Dynamic Engine to sign your CSR with your private key on your HSM. This creates a self-signed certificate. Replace the following values in the command with your own.
- <web_server.csr> – Name of the file that contains the CSR.
- <web_server_example_PEM.key> – Name of the file that contains the fake PEM private key.
- <web_server.crt> – Name of the file that will contain your web server certificate.
```
$ openssl x509 -engine cloudhsm -req -days 365 -in <web_server.csr> -signkey <web_server_example_PEM.key> -out <web_server.crt>
```

After you complete these steps, go to Step 3: Configure the web server.

Import an existing private key and certificate

You might already have a private key and a corresponding SSL/TLS certificate that you use for HTTPS on your web server. If so, you can import that key into an HSM by following the steps in this section.

Note

Some notes on private key imports and Client SDK compatibility:

Importing an existing private key requires Client SDK 3.
You can use private keys from Client SDK 3 with Client SDK 5.
OpenSSL Dynamic Engine for Client SDK 3 does not support the latest Linux platforms, but the implementation of OpenSSL Dynamic Engine for Client SDK 5 does. You can import an existing private key using the Key Management Utility (KMU) provided with Client SDK 3, then use that private key and the implementation of OpenSSL Dynamic Engine with Client SDK 5 to support SSL/TLS offload on the latest Linux platforms.

To import an existing private key into an HSM with Client SDK 3

Connect to your Amazon EC2 client instance. If necessary, copy your existing private key and certificate to the instance.
Install and Configure Client SDK 3

Run the following command to start the AWS CloudHSM client.

Run the following command to start the key_mgmt_util command line tool.
```
$ /opt/cloudhsm/bin/key_mgmt_util
```
Run the following command to log in to the HSM. Replace <user name> and <password> with the user name and password of the cryptographic user (CU).
```
Command: loginHSM -u CU -s <user name> -p <password>
```

Run the following commands to import your private key into an HSM.

Run the following command to create a symmetric wrapping key that is valid for the current session only. The command and output are shown.


Command: genSymKey -t 31 -s 16 -sess -l wrapping_key_for_import

Cfm3GenerateSymmetricKey returned: 0x00 : HSM Return: SUCCESS
Symmetric Key Created.  Key Handle: 6
Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS

Run the following command to import your existing private key into an HSM. The command and output are shown. Replace the following values with your own:
- <web_server_existing.key> – Name of the file that contains your private key.
- <web_server_imported_key> – Label for your imported private key.
- <wrapping_key_handle> – Wrapping key handle generated by the preceding command. In the previous example, the wrapping key handle is 6.
```
Command: importPrivateKey -f <web_server_existing.key> -l <web_server_imported_key> -w <wrapping_key_handle>

BER encoded key length is 1219
Cfm3WrapHostKey returned: 0x00 : HSM Return: SUCCESS
Cfm3CreateUnwrapTemplate returned: 0x00 : HSM Return: SUCCESS
Cfm3UnWrapKey returned: 0x00 : HSM Return: SUCCESS
Private Key Unwrapped.  Key Handle: 8
Cluster Error Status
Node id 0 and err state 0x00000000 : HSM Return: SUCCESS
```

Run the following command to export the private key in fake PEM format and save it to a file. Replace the following values with your own.
- <private_key_handle> – Handle of the imported private key. This handle was generated by the second command in the preceding step. In the preceding example, the handle of the private key is 8.
- <web_server_example_PEM.key> – Name of the file that contains your exported fake PEM private key.
```
Command: getCaviumPrivKey -k <private_key_handle> -out <web_server_example_PEM.key>
```
Run the following command to stop key_mgmt_util.
```
Command: exit
```

After you complete these steps, go to Step 3: Configure the web server.

Step 3: Configure the web server

Update your web server software's configuration to use the HTTPS certificate and corresponding fake PEM private key that you created in the previous step. Remember to backup your existing certificates and keys before you start. This will finish setting up your Linux web server software for SSL/TLS offload with AWS CloudHSM.

Complete the steps from one of the following sections.

Topics

Configure NGINX web server
Configure Apache web server

Configure NGINX web server

Use this section to configure NGINX on supported platforms.

To update the web server configuration for NGINX

Connect to your client instance.
Run the following command to create the required directories for the web server certificate and the fake PEM private key.
```
$ sudo mkdir -p /etc/pki/nginx/private
```
Run the following command to copy your web server certificate to the required location. Replace <web_server.crt> with the name of your web server certificate.
```
$ sudo cp <web_server.crt> /etc/pki/nginx/server.crt
```
Run the following command to copy your fake PEM private key to the required location. Replace <web_server_fake_pem.key> with the name of the file that contains your fake PEM private key.
```
$ sudo cp <web_server_example_pem.key> /etc/pki/nginx/private/server.key
```
Run the following command to change the file ownership so that the user named nginx can read them.
```
$ sudo chown nginx /etc/pki/nginx/server.crt /etc/pki/nginx/private/server.key
```
Run the following command to back up the /etc/nginx/nginx.conf file.
```
$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
```

Update the NGINX configuration.

Note

Each cluster can support a maximum of 1000 NGINX worker processes across all NGINX web servers.

Amazon Linux

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:

If using Client SDK 3


ssl_engine cloudhsm;
env n3fips_password;

If using Client SDK 5
```
ssl_engine cloudhsm;
env CLOUDHSM_PIN;
```

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

Amazon Linux 2

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:

If using Client SDK 3


ssl_engine cloudhsm;
env n3fips_password;

If using Client SDK 5
```
ssl_engine cloudhsm;
env CLOUDHSM_PIN;
```

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

Amazon Linux 2023

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

CentOS 7

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:

If using Client SDK 3


ssl_engine cloudhsm;
env n3fips_password;

If using Client SDK 5
```
ssl_engine cloudhsm;
env CLOUDHSM_PIN;
```

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.    
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

CentOS 8

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

Red Hat 7

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:

If using Client SDK 3


ssl_engine cloudhsm;
env n3fips_password;

If using Client SDK 5
```
ssl_engine cloudhsm;
env CLOUDHSM_PIN;
```

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

Red Hat 8

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/nginx/server.crt";
    ssl_certificate_key "/etc/pki/nginx/private/server.key";
    # It is *strongly* recommended to generate unique DH parameters
    # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
    #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
    ssl_prefer_server_ciphers on;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    }

    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

Ubuntu 16.04 LTS

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
    env n3fips_password;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
    
        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        }
    
        error_page 404 /404.html;
        location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

Ubuntu 18.04 LTS

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
    env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
    
        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        }
    
        error_page 404 /404.html;
        location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

Ubuntu 20.04 LTS

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
    env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
    
        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        }
    
        error_page 404 /404.html;
        location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

Ubuntu 22.04 LTS

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
  env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
    
        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        }
    
        error_page 404 /404.html;
        location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

Ubuntu 24.04 LTS

Use a text editor to edit the /etc/nginx/nginx.conf file. This requires Linux root permissions. At the top of the file, add the following lines:


ssl_engine cloudhsm;
  env CLOUDHSM_PIN;

Then add the following to the TLS section of the file:


# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;
    
        ssl_certificate "/etc/pki/nginx/server.crt";
        ssl_certificate_key "/etc/pki/nginx/private/server.key";
        # It is *strongly* recommended to generate unique DH parameters
        # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
        #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA";
        ssl_prefer_server_ciphers on;
    
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
    
        location / {
        }
    
        error_page 404 /404.html;
        location = /40x.html {
        }
    
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }

Save the file.

Back up the systemd configuration file, and then set the EnvironmentFile path.
Amazon Linux

No action required.

Amazon Linux 2
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Amazon Linux 2023
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open /lib/systemd/system/nginx.service in a text editor. Under the [Service] section, add:

EnvironmentFile=/etc/sysconfig/nginx
CentOS 7

No action required.

CentOS 8
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Red Hat 7

No action required.

Red Hat 8
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 16.04
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 18.04
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 20.04 LTS
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 22.04 LTS
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Ubuntu 24.04 LTS
Back up the nginx.service file.

$ sudo cp /lib/systemd/system/nginx.service /lib/systemd/system/nginx.service.backup

Open the /lib/systemd/system/nginx.service file in a text editor, and then under the [Service] section, add the following path:

EnvironmentFile=/etc/sysconfig/nginx
Check if the /etc/sysconfig/nginx file exists, and then do one of the following:
- If the file exists, back up the file by running the following command:
```
$ sudo cp /etc/sysconfig/nginx /etc/sysconfig/nginx.backup
```
- If the file doesn't exist, open a text editor, and then create a file named nginx in the /etc/sysconfig/ folder.
Configure the NGINX environment.

Note
Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU.
Amazon Linux
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Amazon Linux 2
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Amazon Linux 2023
As the Linux root user, open /etc/sysconfig/nginx file in a text editor. For example,
```
sudo vi /etc/sysconfig/nginx
```
Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
CentOS 7
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.

Save the file.
CentOS 8
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Red Hat 7
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Red Hat 8
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Ubuntu 16.04 LTS
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Ubuntu 18.04 LTS
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Ubuntu 20.04 LTS
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Ubuntu 22.04 LTS
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Ubuntu 24.04 LTS
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Save the file.
Start the NGINX web server.
Amazon Linux
Open the /etc/sysconfig/nginx file in a text editor. This requires Linux root permissions. Add the Cryptography User (CU) credentials:
```
$ sudo service nginx start
```
Amazon Linux 2
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Amazon Linux 2023
Stop all NGINX processes
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start NGINX
```
$ sudo systemctl start nginx
```
CentOS 7
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
CentOS 8
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Red Hat 7
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Red Hat 8
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Ubuntu 16.04 LTS
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Ubuntu 18.04 LTS
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Ubuntu 20.04 LTS
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Ubuntu 22.04 LTS
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```
Ubuntu 24.04 LTS
Stop any running NGINX process
```
$ sudo systemctl stop nginx
```
Reload the systemd configuration to pick up the latest changes
```
$ sudo systemctl daemon-reload
```
Start the NGINX process
```
$ sudo systemctl start nginx
```

(Optional) Configure your platform to start NGINX at start-up.

After you update your web server configuration, go to Step 4: Enable HTTPS traffic and verify the certificate.

Configure Apache web server

Use this section to configure Apache on supported platforms.

To update the web server configuration for Apache

Connect to your Amazon EC2 client instance.

Define default locations for certificates and private keys for your platform.

Amazon Linux

In the /etc/httpd/conf.d/ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Amazon Linux 2

In the /etc/httpd/conf.d/ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Amazon Linux 2023

Open /etc/httpd/conf.d/ssl.conf file. Add these values if they don't already exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

CentOS 7

In the /etc/httpd/conf.d/ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

CentOS 8

In the /etc/httpd/conf.d/ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Red Hat 7

In the /etc/httpd/conf.d/ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Red Hat 8

In the /etc/httpd/conf.d/ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile   /etc/pki/tls/private/localhost.key

Ubuntu 16.04 LTS

In the /etc/apache2/sites-available/default-ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Ubuntu 18.04 LTS

In the /etc/apache2/sites-available/default-ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Ubuntu 20.04 LTS

In the /etc/apache2/sites-available/default-ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Ubuntu 22.04 LTS

In the /etc/apache2/sites-available/default-ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Ubuntu 24.04 LTS

In the /etc/apache2/sites-available/default-ssl.conf file, ensure these values exist:


SSLCertificateFile      /etc/ssl/certs/localhost.crt
SSLCertificateKeyFile   /etc/ssl/private/localhost.key

Copy your web server certificate to the required location for your platform.
Amazon Linux
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Amazon Linux 2
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Amazon Linux 2023
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
CentOS 7
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
CentOS 8
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Red Hat 7
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Red Hat 8
```
$ sudo cp <web_server.crt> /etc/pki/tls/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 16.04 LTS
```
$ sudo cp <web_server.crt> /etc/ssl/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 18.04 LTS
```
$ sudo cp <web_server.crt> /etc/ssl/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 20.04 LTS
```
$ sudo cp <web_server.crt> /etc/ssl/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 22.04 LTS
```
$ sudo cp <web_server.crt> /etc/ssl/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Ubuntu 24.04 LTS
```
$ sudo cp <web_server.crt> /etc/ssl/certs/localhost.crt
```
Replace <web_server.crt> with the name of your web server certificate.
Copy your fake PEM private key to the required location for your platform.
Amazon Linux
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Amazon Linux 2
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Amazon Linux 2023
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
CentOS 7
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
CentOS 8
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Red Hat 7
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Red Hat 8
```
$ sudo cp <web_server_example_pem.key> /etc/pki/tls/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Ubuntu 16.04 LTS
```
$ sudo cp <web_server_example_pem.key> /etc/ssl/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Ubuntu 18.04 LTS
```
$ sudo cp <web_server_example_pem.key> /etc/ssl/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Ubuntu 20.04 LTS
```
$ sudo cp <web_server_example_pem.key> /etc/ssl/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Ubuntu 22.04 LTS
```
$ sudo cp <web_server_example_pem.key> /etc/ssl/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Ubuntu 24.04 LTS
```
$ sudo cp <web_server_example_pem.key> /etc/ssl/private/localhost.key
```
Replace <web_server_example_pem.key> with the name of the file that contains your fake PEM private key.
Change ownership of these files if required by your platform.
Amazon Linux
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
Amazon Linux 2
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
Amazon Linux 2023
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
CentOS 7
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
CentOS 8
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
Red Hat 7
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
Red Hat 8
```
$ sudo chown apache /etc/pki/tls/certs/localhost.crt /etc/pki/tls/private/localhost.key
```
Provides read permission to the user named apache.
Ubuntu 16.04 LTS

No action required.

Ubuntu 18.04 LTS

No action required.

Ubuntu 20.04 LTS

No action required.

Ubuntu 22.04 LTS

No action required.

Ubuntu 24.04 LTS

No action required.

Configure Apache directives for your platform.

Amazon Linux

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

This file contains Apache directives which define how your server should run. Directives appear on the left, followed by a value. Use a text editor to edit this file. This requires Linux root permissions.

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA

Save the file.

Amazon Linux 2

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA

Save the file.

Amazon Linux 2023

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

The Apache configuration file defines server behavior. Edit this file with root permissions.

Update or add the following directives:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA

Save the file.

CentOS 7

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA

Save the file.

CentOS 8

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
SSLProxyCipherSuite HIGH:!aNULL

Save the file.

Red Hat 7

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA

Save the file.

Red Hat 8

Locate the SSL file for this platform:


/etc/httpd/conf.d/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLProtocol TLSv1.2 TLSv1.3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
SSLProxyCipherSuite HIGH:!aNULL

Save the file.

Ubuntu 16.04 LTS

Locate the SSL file for this platform:


/etc/apache2/mods-available/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA

Save the file.

Enable the SSL module and default SSL site configuration:


$ sudo a2enmod ssl
$ sudo a2ensite default-ssl

Ubuntu 18.04 LTS

Locate the SSL file for this platform:


/etc/apache2/mods-available/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
SSLProtocol TLSv1.2 TLSv1.3

Save the file.

Enable the SSL module and default SSL site configuration:


$ sudo a2enmod ssl
$ sudo a2ensite default-ssl

Ubuntu 20.04 LTS

Locate the SSL file for this platform:


/etc/apache2/mods-available/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
SSLProtocol TLSv1.2 TLSv1.3

Save the file.

Enable the SSL module and default SSL site configuration:


$ sudo a2enmod ssl
$ sudo a2ensite default-ssl

Ubuntu 22.04 LTS

Locate the SSL file for this platform:


/etc/apache2/mods-available/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
SSLProtocol TLSv1.2 TLSv1.3

Save the file.

Enable the SSL module and default SSL site configuration:


$ sudo a2enmod ssl
$ sudo a2ensite default-ssl

Ubuntu 24.04 LTS

Locate the SSL file for this platform:


/etc/apache2/mods-available/ssl.conf

Update or enter the following directives with these values:


SSLCryptoDevice cloudhsm
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA
SSLProtocol TLSv1.2 TLSv1.3

Save the file.

Enable the SSL module and default SSL site configuration:


$ sudo a2enmod ssl
$ sudo a2ensite default-ssl

Configure an environment-values file for your platform.
Amazon Linux

No action required. Environment values go in /etc/sysconfig/httpd

Amazon Linux 2
Open the httpd service file:
```
/lib/systemd/system/httpd.service
```
Under the [Service] section, add the following:
```
EnvironmentFile=/etc/sysconfig/httpd
```
Amazon Linux 2023
Open /lib/systemd/system/httpd.service

Under the [Service] section, add:
```
EnvironmentFile=/etc/sysconfig/httpd
```
CentOS 7
Open the httpd service file:
```
/lib/systemd/system/httpd.service
```
Under the [Service] section, add the following:
```
EnvironmentFile=/etc/sysconfig/httpd
```
CentOS 8
Open the httpd service file:
```
/lib/systemd/system/httpd.service
```
Under the [Service] section, add the following:
```
EnvironmentFile=/etc/sysconfig/httpd
```
Red Hat 7
Open the httpd service file:
```
/lib/systemd/system/httpd.service
```
Under the [Service] section, add the following:
```
EnvironmentFile=/etc/sysconfig/httpd
```
Red Hat 8
Open the httpd service file:
```
/lib/systemd/system/httpd.service
```
Under the [Service] section, add the following:
```
EnvironmentFile=/etc/sysconfig/httpd
```
Ubuntu 16.04 LTS

No action required. Environment values go in /etc/sysconfig/httpd

Ubuntu 18.04 LTS

No action required. Environment values go in /etc/sysconfig/httpd

Ubuntu 20.04 LTS

No action required. Environment values go in /etc/sysconfig/httpd

Ubuntu 22.04 LTS

No action required. Environment values go in /etc/sysconfig/httpd

Ubuntu 24.04 LTS

No action required. Environment values go in /etc/sysconfig/httpd
In the file that stores environment variables for your platform, set an environment variable that contains the credentials of the cryptographic user (CU):
Amazon Linux
Use a text editor to edit the /etc/sysconfig/httpd.
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.
Amazon Linux 2
Use a text editor to edit the /etc/sysconfig/httpd.
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.
Amazon Linux 2023
Open /etc/sysconfig/httpd, add:
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.
CentOS 7
Use a text editor to edit the /etc/sysconfig/httpd.
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.
CentOS 8
Use a text editor to edit the /etc/sysconfig/httpd.
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.
Red Hat 7
Use a text editor to edit the /etc/sysconfig/httpd.
If using Client SDK 3

n3fips_password=<CU user name>:<password>

If using Client SDK 5

CLOUDHSM_PIN=<CU user name>:<password>
Replace <CU user name> and <password> with the CU credentials.
Red Hat 8
Use a text editor to edit the /etc/sysconfig/httpd.
```
CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Note
Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU.
Ubuntu 16.04 LTS
Use a text editor to edit the /etc/apache2/envvars.
```
export n3fips_password=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.
Ubuntu 18.04 LTS
Use a text editor to edit the /etc/apache2/envvars.
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Note
Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.
Ubuntu 20.04 LTS
Use a text editor to edit the /etc/apache2/envvars.
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Note
Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.
Ubuntu 22.04 LTS
Use a text editor to edit the /etc/apache2/envvars.
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Note
Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.
Ubuntu 24.04 LTS
Use a text editor to edit the /etc/apache2/envvars.
```
export CLOUDHSM_PIN=<CU user name>:<password>
```
Replace <CU user name> and <password> with the CU credentials.

Note
Client SDK 5 introduces the CLOUDHSM_PIN environment variable for storing the credentials of the CU. In Client SDK 3 you stored the CU credentials in the n3fips_password environment variable. Client SDK 5 supports both environment variables, but we recommend using CLOUDHSM_PIN.

Start the Apache web server.

(Optional) Configure your platform to start Apache at start-up.

After you update your web server configuration, go to Step 4: Enable HTTPS traffic and verify the certificate.

Step 4: Enable HTTPS traffic and verify the certificate

After you configure your web server for SSL/TLS offload with AWS CloudHSM, add your web server instance to a security group that allows inbound HTTPS traffic. This allows clients, such as web browsers, to establish an HTTPS connection with your web server. Then make an HTTPS connection to your web server and verify that it's using the certificate that you configured for SSL/TLS offload with AWS CloudHSM.

Topics

Enable inbound HTTPS connections
Verify that HTTPS uses the certificate that you configured

Enable inbound HTTPS connections

To connect to your web server from a client (such as a web browser), create a security group that allows inbound HTTPS connections. Specifically, it should allow inbound TCP connections on port 443. Assign this security group to your web server.

To create a security group for HTTPS and assign it to your web server

Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
Choose Security groups in the navigation pane.
Choose Create security group.
For Create Security Group, do the following:
1. For Security group name, type a name for the security group that you are creating.
2. (Optional) Type a description of the security group that you are creating.
3. For VPC, choose the VPC that contains your web server Amazon EC2 instance.
4. Select Add Rule.
5. For Type, select HTTPS from the drop-down window.
6. For Source, enter a source location.
7. Choose Create security group.
In the navigation pane, choose Instances.
Select the check box next to your web server instance.
Select the Actions drop-down menu at the top of the page. Select Security and then Change Security Groups.
For Associated security groups, select the search box and choose the security group that you created for HTTPS. Then choose Add Security Groups.
Select Save.

Verify that HTTPS uses the certificate that you configured

After you add the web server to a security group, you can verify that SSL/TLS offload is using your self-signed certificate. You can do this with a web browser or with a tool such as OpenSSL s_client.

To verify SSL/TLS offload with a web browser

Use a web browser to connect to your web server using the public DNS name or IP address of the server. Ensure that the URL in the address bar begins with https://. For example, https://ec2-52-14-212-67.us-east-2.compute.amazonaws.com/.

Tip
You can use a DNS service such as Amazon Route 53 to route your website's domain name (for example, https://www.example.com/) to your web server. For more information, see Routing Traffic to an Amazon EC2 Instance in the Amazon Route 53 Developer Guide or in the documentation for your DNS service.
Use your web browser to view the web server certificate. For more information, see the following:
- For Mozilla Firefox, see View a Certificate on the Mozilla Support website.
- For Google Chrome, see Understand Security Issues on the Google Tools for Web Developers website.
Other web browsers might have similar features that you can use to view the web server certificate.
Ensure that the SSL/TLS certificate is the one that you configured your web server to use.

To verify SSL/TLS offload with OpenSSL s_client

Run the following OpenSSL command to connect to your web server using HTTPS. Replace <server name> with the public DNS name or IP address of your web server.
```
openssl s_client -connect <server name>:443
```
Tip
You can use a DNS service such as Amazon Route 53 to route your website's domain name (for example, https://www.example.com/) to your web server. For more information, see Routing Traffic to an Amazon EC2 Instance in the Amazon Route 53 Developer Guide or in the documentation for your DNS service.
Ensure that the SSL/TLS certificate is the one that you configured your web server to use.

You now have a website that is secured with HTTPS. The private key for the web server is stored in an HSM in your AWS CloudHSM cluster.

To add a load balancer, see Add a load balancer with Elastic Load Balancing for AWS CloudHSM(optional).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

How it works

Offload on Linux with JSSE

AWS CloudHSM SSL/TLS offload on Linux using NGINX or Apache with OpenSSL

Topics

Overview

Step 1: Set up the prerequisites

Topics

Prerequisites for Client SDK 5

Note

To set up a Linux web server instance and create a CU on the HSM

Tip

Notes

Prerequisites for Client SDK 3

To set up a Linux web server instance and create a CU on the HSM

Step 2: Generate or import a private key and SSL/TLS certificate

Do one of the following:

Generate a private key and certificate

Generate a private key

Install and configure the Key Management Utility (KMU)

Note

Generate a self-signed certificate

Warning

Install and configure the OpenSSL Dynamic Engine

Generate a certificate

Import an existing private key and certificate

Note

To import an existing private key into an HSM with Client SDK 3

Step 3: Configure the web server

Topics

Configure NGINX web server

To update the web server configuration for NGINX

Note

Note

Configure Apache web server

To update the web server configuration for Apache

Note

Note

Note

Note

Note

Step 4: Enable HTTPS traffic and verify the certificate

Topics

Enable inbound HTTPS connections

To create a security group for HTTPS and assign it to your web server

Verify that HTTPS uses the certificate that you configured

To verify SSL/TLS offload with a web browser

Tip

To verify SSL/TLS offload with OpenSSL s_client

Tip