Set up an Apache HTTP Server with PKCS#11 providers

Learn how to configure an Apache HTTP Server to enable TLS with protected private keys, including soft and ICA tokens, hardware‑protected CCA and EP11 tokens, and keys accessed through PKCS#11 URIs.

You can also view and print this information in PDF format.

Publication date: February 2026.

Overview

By default, an Apache HTTP Server implements TLS through mod_ssl, which uses OpenSSL for cryptographic operations. mod_ssl does not provide native PKCS#11 support; therefore, a separate PKCS#11 provider, such as pkcs11-provider or pkcs11-sign-provider, must be installed and configured so that OpenSSL and Apache can access private keys that reside in a hardware security module (HSM), such as an IBM Crypto Express adapter on IBM Z or IBM LinuxONE.

The guide also demonstrates best practices for safely setting up an Apache HTTP Server to ensure secure TLS communication. Apache Server setup By using the pkcs11-sign-provider and pkcs11-provider, this guide demonstrates how to configure an Apache HTTP Server to perform a TLS handshake using a private key stored within Soft token, ICA token, CCA token and EP11 token.