| Option | Description | 
| --with-nss=[PATH] | The file system path to the NSS
installation. The assumption is that this has the layout of: PATH/lib,
PATH/include, etc. | 
| --with-nss-inc=PATH | The file system path to the NSS
include directory (e.g. /usr/local/include/nss3) | 
| --with-nss-lib=PATH | The file system path to the NSS
lib directory (e.g. /usr/local/lib) | 
| --with-nspr=[PATH] | The file system path of the NSPR installation. The assumption is that this has the layout of: PATH/lib, PATH/include, etc. | 
| --with-nspr-inc=PATH | The file system path to the NSPR
include directory (e.g. /usr/local/include/nspr4) | 
| --with-nspr-lib=PATH | The file system path to the NSPR
lib directory (e.g. /usr/local/lib) | 
| --with-apxs=[PATH] | The location of the apxs binary
of the Apache you want to install the module into. | 
| --with-apr-config=[PATH] | The location of apr-config which
tells us where the APR include files and libraries are located | 
| --enable-ecc | Enable Elliptical Curve
Cryptography. Disabled by default. | 
 % ./configure --with-apxs=/path/to/apxs/
--with-nspr=/path/to/nspr/ --with-nss=/path/to/nss/
 % gmakenss.conf.
By default
this is installed during the installation process.ssl.conf to ssl.conf.old.
The assumption is that mod_nss is replacing mod_ssl. They can co-exist
as long as they are listening on separate ports.nss.conf, is copied into
the Apache
configuration directory (as reported by apxs). You may need to make a
manual change to httpd.conf to load this file. If you have a Red
Hat-style Apache installation with a conf.d just move nss.conf there.
It will be automatically loaded. Otherwise you will need to add the
following line to httpd.conf (location relative to httpd.conf):Include conf/nss.conf
nss.conf.
It is here that you will setup your VirtualServer entries to and
configure your SSL servers. If you have a certificate with Subject
Alternative Names then you can configure separate VirtualServer entries
for eacon one.gencert, is included to automatically
generate a self-signed CA plus one server certificate. This is fine for
testing purposes but it is strongly recommended that a real server
certificate be obtained from a real CA before moving a mod_nss server
into production. Users should be expected to cancel any request to a
secure server signed by an unknown issuer.gencert takes one argument, the path to the location of
the certificate database. A fair amount of output is generated so you
can follow what is going on. For the most part most don't need to
bother with the details.# mkdir /etc/httpd/nss # ./gencert /etc/httpd/nss ##################################################################### Generating new server certificate and key database. The password is httptest ##################################################################### ##################################################################### Generating self-signed client CA certificate ##################################################################### Generating key. This may take a few moments... [ Lots of output removed ]You should now have the following files:
/etc/httpd/nss/cert8.db /etc/httpd/nss/key3.db /etc/httpd/nss/secmod.dbThese 3 files make up an NSS certificate database.
/etc/httpd/nss/cert9.db /etc/httpd/nss/key4.db /etc/httpd/nss/pkcs11.txt
<IfDefine SSL> so you do not need to use the
startssl argument with apachectl. % apachectl start
Please enter password for "internal" token:% modutil -dbdir /path/to/database/directory -changepw "NSS Certificate DB"migrate.pl, is included to help migrate an
existing mod_ssl configuration to work with mod_nss. There is one
optional argument, -c, that will try to convert your existing server
and CA certificates plus any certificate revocation lists (CRLs) into
an NSS certificate database.builtinfile:/path/to/filetoken:passwordinternal:secret12exec:/path/to/executable
#!/bin/sh
echo "secret123"
#!/bin/sh
exec /bin/systemd-ask-password "Enter SSL pass phrase for $1: "
NSSPassPhraseDialog builtinNSSPassPhraseDialog file:/etc/httpd/alias/password.confNSSPassPhraseDialog exec:/usr/libexec/httpd/httpd-ssl-pass-dialogNSSPassPhraseHelper /path/to/nss_pcacheNSSCertificateDatabase /etc/httpd/conf/nssNSSCertificateDatabase sql:/etc/httpd/conf/nssNSSDBPrefix my-prefix-NSSSessionCacheSize 10000NSSSession3CacheTimeout 86400builtin: Combines the current system time, the
current process id
and a randomly choosen 128-byte extract of the process stack. This is
not a particularly strong source of entropy.file:/path/to/source: Reads from the specified file.
If the number of bytes to read is specified it just reads that amount.
Be aware that some operating systems block on /dev/random if not enough
entropy is available. This means that the server will wait until that
data is available to continue startup. These systems generally offer a
non-blocking device as well, /dev/urandom.exec:/path/to/program: Executes the given program and takes
the stdout of it as the entropy. If the bytes argument is included it
reads that many bytes, otherwise it reads until the program exits.NSSRandomSeed startup builtin
NSSRandomSeed startup /dev/urandom 512
NSSRandomSeed startup /usr/bin/makerandomNSSCertificateDatabase. This check
can be disabled by setting NSSSkipPermissionCheck
to on. The default is offNSSSkipPermissionCheck onNSSEngine onNSSFIPS onNSSOCSP on+
to enable or - to disable, using the Cipher Name value in the tables below.| Cipher Name | NSS Cipher definition | Protocol | 
| rsa_3des_sha | TLS_RSA_WITH_3DES_EDE_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_des_sha | TLS_RSA_WITH_DES_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_null_md5 | TLS_RSA_WITH_NULL_MD5 | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_null_sha | TLS_RSA_WITH_NULL_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_rc2_40_md5 | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_rc4_128_md5 | TLS_RSA_WITH_RC4_128_MD5 | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_rc4_128_sha | TLS_RSA_WITH_RC4_128_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_rc4_40_md5 | TLS_RSA_EXPORT_WITH_RC4_40_MD5 | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| fips_des_sha | SSL_RSA_FIPS_WITH_DES_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| fips_3des_sha | SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_des_56_sha | TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_rc4_56_sha | TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_aes_128_sha | TLS_RSA_WITH_AES_128_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| rsa_aes_256_sha | TLS_RSA_WITH_AES_256_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| camelia_128_sha | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| camelia_256_sha | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| null_sha_256 | TLS_RSA_WITH_NULL_SHA256 | TLSv1.2 | 
| aes_128_sha_256 | TLS_RSA_WITH_AES_128_CBC_SHA256 | TLSv1.2 | 
| aes_256_sha_256 | TLS_RSA_WITH_AES_256_CBC_SHA256 | TLSv1.2 | 
| rsa_aes_128_gcm_sha_256 | TLS_RSA_WITH_AES_128_GCM_SHA256 | TLSv1.2 | 
| Cipher Name | NSS Cipher definition | Protocol | 
| dhe_rsa_des_sha | TLS_DHE_RSA_WITH_DES_CBC_SHA | SSLv3/TLSv1.0/TLSv1.1/TLSv1.2 | 
| dhe_rsa_3des_sha | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| dhe_rsa_aes_128_sha | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| dhe_rsa_aes_256_sha | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| dhe_rsa_camellia_128_sha | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| dhe_rsa_camellia_256_sha | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| dhe_rsa_aes_128_sha256 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | TLSv1.2 | 
| dhe_rsa_aes_256_sha256 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | TLSv1.2 | 
| dhe_rsa_aes_128_gcm_sha_256 | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | TLSv1.2 | 
| Cipher Name | NSS Cipher Definition | Protocol | 
| ecdh_ecdsa_null_sha | TLS_ECDH_ECDSA_WITH_NULL_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_ecdsa_rc4_128_sha | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_ecdsa_3des_sha | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_ecdsa_aes_128_sha | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_ecdsa_aes_256_sha | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_ecdsa_null_sha | TLS_ECDHE_ECDSA_WITH_NULL_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_ecdsa_rc4_128_sha | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_ecdsa_3des_sha | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_ecdsa_aes_128_sha | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_ecdsa_aes_256_sha | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_rsa_null_sha | TLS_ECDH_RSA_WITH_NULL_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_rsa_128_sha | TLS_ECDH_RSA_WITH_RC4_128_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_rsa_3des_sha | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_rsa_aes_128_sha | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_rsa_aes_256_sha | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| echde_rsa_null | TLS_ECDHE_RSA_WITH_NULL_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_rsa_rc4_128_sha | TLS_ECDHE_RSA_WITH_RC4_128_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_rsa_3des_sha | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_rsa_aes_128_sha | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_rsa_aes_256_sha | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_anon_null_sha | TLS_ECDH_anon_WITH_NULL_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_anon_rc4_128sha | TLS_ECDH_anon_WITH_RC4_128_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_anon_3des_sha | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_anon_aes_128_sha | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdh_anon_aes_256_sha | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | TLSv1.0/TLSv1.1/TLSv1.2 | 
| ecdhe_ecdsa_aes_128_sha_256 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | TLSv1.2 | 
| ecdhe_rsa_aes_128_sha_256 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | TLSv1.2 | 
| ecdhe_ecdsa_aes_128_gcm_sha_256 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | TLSv1.2 | 
| ecdhe_rsa_aes_128_gcm_sha_256 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | TLSv1.2 | 
NSSCipherSuite
+rsa_3des_sha,-rsa_des_56_sha,+rsa_des_sha,-rsa_null_md5,-rsa_null_sha,-rsa_rc2_40_md5,+rsa_rc4_128_md5,-rsa_rc4_128_sha,-rsa_rc4_40_md5,-rsa_rc4_56_sha,-fips_des_sha, +fips_3des_sha,-rsa_aes_128_sha,-rsa_aes_256_shaNSSCipherSuite ALLNSSCipherSuite rsa_3des_shaNSSCipherSuite RC4-SHASSLv3TLSv1 (legacy only; replaced by TLSv1.0)TLSv1.0TLSv1.1TLSv1.2AllNSSProtocol SSLv3,TLSv1.0,TLSv1.1NSSNickname Server-CertNSSNickname "This contains a space"NSSNickname Server-Cert-ECCNSSEnforceValidCerts onnone: no client certificate
is required or requestedoptional: a client
certificate is requested but if one is not available, the connection
may continue.require: a valid client
certificate is required for the connection to continue.option_no_ca
is not supported.NSSVerifyDepth directive. NSS always verifies
the entire certificate chain.NSSVerifyClient requireNSSUserName SSL_CLIENT_S_DN_UIDSSL_CLIENT_CERT, SSL_CLIENT_CERT_CHAIN[0..n]
and SSL_SERVER_CERT. This provides additional
certificate information on the client and server to the environment,
plus every CA certificate in the client certificate.NSSOptions +FakeBasicAuth <Files ~ "\.(cgi|shtml)$"> NSSOptions +StdEnvVars <Files>
NSSRequireSSLNSSRequire
NSSRenegBufferSize 262144
NSSSNI offNSSStrictSNIVHostCheck offNSSProxyEngine onNSSProxyProtocol SSLv3
NSSProxyCipherSuite
+rsa_3des_sha,-rsa_null_md5,-rsa_null_sha,+rsa_rc4_128_md5NSSProxyNickname beta
NSSProxyCheckPeerCNNSSProxyCheckPeerCN on| Name | Description | 
| HTTPS | Set to "on" if HTTPS is being
used | 
| Name | Description | 
| SSL_VERSION_INTERFACE | The version of mod_nss the
server is running | 
| SSL_VERSION_LIBRARY | The version of NSS that mod_nss
was compiled against. | 
| SSL_PROTOCOL | SSLv3, TLSv1.0, TLSv1.1 or TLSv1.2 | 
| SSL_CIPHER | The cipher the connection is
using | 
| SSL_CIPHER_EXPORT | true if the cipher is an export
cipher, false otherwise | 
| SSL_CIPHER_USEKEYSIZE | Number if bits the cipher is
using | 
| SSL_CIPHER_ALGKEYSIZE | Max number of bits possible in
the cipher | 
| SSL_CLIENT_VERIFY | NONE if no client auth, SUCCESS
or FAILED if SSLVerifyCert is set | 
| SSL_CLIENT_V_START | Client certificate validity
start time | 
| SSL_CLIENT_V_END | Client certificate validity end time | 
| SSL_CLIENT_V_REMAIN | Number of days that the
certificate is valid | 
| SSL_CLIENT_M_VERSION | X.509 version of the client
certificate | 
| SSL_CLIENT_M_SERIAL | Serial number of the client
certificate | 
| SSL_CLIENT_A_KEY | Algorithm used for client key | 
| SSL_CLIENT_A_SIG | Algorithm used for the signature of the client key | 
| SSL_CLIENT_S_DN | Distinguished Name (DN) of the client certificate | 
| SSL_CLIENT_S_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] | Components of the client
certificate. Only those that exist in the certificate are created. | 
| SSL_CLIENT_SAN_[DNS, IPAddr, Email, OTHER_msUPN]_[0..n] | A subset of Subject Alternate Names. Each entry is appended with a unique sequential number. | 
| SSL_CLIENT_I_DN | Distinguished Name (DN) of the
client certificate issuer | 
| SSL_CLIENT_I_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] | Components of the client issuer certificate. Only those that exist in the certificate are created | 
| SSL_SERVER_DN | Distinguished Name (DN) of the
server certificate | 
| SSL_SERVER_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] | Components of the server certificate. Only those that exist in the certificate are created | 
| SSL_SERVER_I_DN_[C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email] | Components of the server issuer certificate. Only those that exist in the certificate are created | 
| SSL_SERVER_M_VERSION | X.509 version of the server certificate | 
| SSL_SERVER_M_SERIAL | Serial number of the server certificate | 
| SSL_SERVER_V_START | Server certificate validity start time | 
| SSL_SERVER_V_END | Server certificate validity end time | 
| SSL_SERVER_A_KEY | Algorithm used for server key | 
| SSL_SERVER_A_SIG | Algorithm used for the signature of the server key | 
| SSL_SESSION_ID | SSL Session ID | 
| SSL_SERVER_SAN_[DNS, IPAddr, Email, OTHER_msUPN]_[0..n] | A subset of Subject Alternate Names. Each entry is appended with a unique sequential number. | 
| Name | Description | 
| SSL_SERVER_CERT | The server certificate in PEM
format. | 
| SSL_CLIENT_CERT | The client certificate in PEM
format (if available) | 
| SSL_CLIENT_CERT_CHAIN_[0..n] | Each certificate in the client
certificate chain in PEM format (including the client certificate
itself). | 
By default the NSS databases use the Berkeley Database format (cert8 and
key3). To use the sqlite format (cert9 and key4) either include sql: in
all references to the database (-d sql:/path/to/database) or
export NSS_DEFAULT_DB_TYPE="sql".
For more details see
https://wiki.mozilla.org/NSS_Shared_DB
The NSS database also stores any Certificate Revocation Lists (CRLs). 
Several NSS tools are available for managing certificates, keys,
PKCS#11 modules and CRLs. These come with the NSS distribution. Here is
a brief overview:
| Tool | Description | 
| certutil | Generate Certificate Signing
Requests, install certificates and manage certificate trust flags. | 
| crlutil | Manage certificate revocation lists (CRLs). | 
| modutil | Manage the database of PKCS11 modules (secmod.db). Add modules and modify the properties of existing modules (such as whether a module is the default provider of some crypto service). | 
| pk12util | Import and export keys and certificates in PKCS12 format. | 
| Description | Command | 
| Create a Database | certutil -N -d [path] | 
| List all Certificates | certutil -L -d [path] | 
| Extract a cert (Server-Cert) in
ASCII | certutil -L -n Server-Cert -d
[path] -a | 
| Extract a cert and key
(Server-Cert) in PKCS#12 | pk12util -o server.p12 -n
Server-Cert -d [path] | 
| Import a cert and key
(Import-Me) from PKCS#12 | pk12util -i server.p12 -n
Import-Me -d [path] | 
% openssl pkcs12 -export -in /path/to/certificate -inkey
/path/to/keyfile -out server.p12 -name "Server-Cert" -passout pass:foo
% pk12util -i server.p12 -d [path] -W foo
% certutil -A -n "myca" -t "CT,," -d [path] -a -i
/path/to/cacertificate% openssl crl -in /path/to/crlfile -out /tmp/crl.tmp -inform PEM
-outform DER
% crlutil -I -t 1 -d [path] -i /tmp/crl.tmp% certutil -V -n Server-Cert -u V -d .
certutil: certificate is valid
# certutil -L -d /etc/httpd/alias
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
alpha                                                        u,pu,u
| NOTE: | For actual deployments, the administrator should setup
their own NSS security databases (e. g. - replace the default mod_nss
NSS security databases located in /etc/httpd/alias), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the/etc/httpd/conf.d/nss.conffile such that mod_nss uses these NSS security databases. | 
certutil to apply a password to the NSS security databases configured in step 3 above:
# certutil -W -d /etc/httpd/alias
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Password changed successfully.
/etc/httpd/conf.d/nss.conf:NSSPassPhraseDialog builtinNSSPassPhraseDialog file:/etc/httpd/password.conf
| NOTE: | Whenever httpdis invoked as a service/systemd process, theNSSPassPhraseDialog builtinparameter must be changed to point to a file URL in order to allow
mod_nss to work with the Apache web server.  This is because the mod_nss
 test for issuing the password promptPlease enter password for "internal" token:on the command line is only displayed when the commandisatty(fileno(stdin))is set to 'true', and when the command is entered from this type of
invocation the value is 'false'.  In order to see the prompt, one can
set theNSSPassPhraseDialog builtinparameter and invokehttpd -D FOREGROUNDfrom the command line. | 
NSSNickname parameter is uncommented and matches the nickname displayed in step 3 above:NSSNickname Server-Cert
NSSECCNickname parameter is uncommented and matches the nickname displayed in step 3 above:NSSECCNickname Server-Cert
NSSCertificateDatabase parameter is uncommented and points to the NSS security databases directory configured in step 3 above:NSSCertificateDatabase /etc/httpd/alias
/etc/httpd/password.conf file:internal:<password>/etc/httpd/password.conf file:# chgrp apache /etc/httpd/password.conf# chmod 640 /etc/httpd/password.conf
# ls -l /etc/httpd/password.conf
-rw-r-----. 1 root apache 18 Nov 27 14:05 /etc/httpd/password.conf
# service httpd restart
Redirecting to /bin/systemctl restart  httpd.service
# service httpd status
Redirecting to /bin/systemctl status  httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Wed 2013-11-27 15:25:48 PST; 1min 11s ago
  Process: 20804 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 20807 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: name=systemd:/system/httpd.service
           |_____20807 /usr/sbin/httpd -DFOREGROUND
           |_____20808 /usr/libexec/nss_pcache 10027086 off /etc/httpd/alias
           |_____20809 /usr/sbin/httpd -DFOREGROUND
           |_____20810 /usr/sbin/httpd -DFOREGROUND
           |_____20811 /usr/sbin/httpd -DFOREGROUND
           |_____20812 /usr/sbin/httpd -DFOREGROUND
           |_____20813 /usr/sbin/httpd -DFOREGROUND
Nov 27 15:25:48 server.example.com systemd[1]: Started The Apache HTTP Server.
# certutil -L -d /etc/httpd/alias
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
cacert                                                       CTu,Cu,Cu
Server-Cert                                                  u,u,u
alpha                                                        u,pu,u
| NOTE: | For actual deployments, the administrator should setup
their own NSS security databases (e. g. - replace the default mod_nss
NSS security databases located in /etc/httpd/alias), populate them with the appropriate certificates set with the proper trust attributes, and apply any changes necessary to the/etc/httpd/conf.d/nss.conffile such that mod_nss uses these NSS security databases. | 
certutil to apply a password to the NSS security databases configured in step 3 above:
# certutil -W -d /etc/httpd/alias
Enter Password or Pin for "NSS Certificate DB":
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Password changed successfully.
/etc/httpd/conf.d/nss.conf:NSSPassPhraseDialog builtinNSSPassPhraseDialog file:/etc/httpd/password.conf
| NOTE: | Whenever httpdis invoked as a service/systemd process, theNSSPassPhraseDialog builtinparameter must be changed to point to a file URL in order to allow
mod_nss to work with the Apache web server.  This is because the mod_nss
 test for issuing the password promptPlease enter password for "NSS FIPS 140-2 Certificate DB" token:on the command line is only displayed when the commandisatty(fileno(stdin))is set to 'true', and when the command is entered from this type of
invocation the value is 'false'.  In order to see the prompt, one can
set theNSSPassPhraseDialog builtinparameter and invokehttpd -D FOREGROUNDfrom the command line. | 
NSSNickname parameter is uncommented and matches the nickname displayed in step 3 above:NSSNickname Server-Cert
NSSECCNickname parameter is uncommented and matches the nickname displayed in step 3 above:NSSECCNickname Server-Cert
NSSCertificateDatabase parameter is uncommented and points to the NSS security databases directory configured in step 3 above:NSSCertificateDatabase /etc/httpd/alias
/etc/httpd/password.conf file:NSS FIPS 140-2 Certificate DB:<password>| IMPORTANT: | Notice that since the NSS FIPS software token is being used, the contents of the /etc/httpd/password.conffile references the password for the NSS FIPS software token (NSS FIPS 140-2 Certificate DB:<password>) rather than the NSS internal software token (internal:<password>). | 
/etc/httpd/password.conf file:# chgrp apache /etc/httpd/password.conf# chmod 640 /etc/httpd/password.conf
# ls -l /etc/httpd/password.conf
-rw-r-----. 1 root apache 39 Nov 27 15:48 /etc/httpd/password.conf
# service httpd restart
Redirecting to /bin/systemctl restart  httpd.service
# service httpd status
Redirecting to /bin/systemctl status  httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: active (running) since Wed 2013-11-27 16:26:07 PST; 4s ago
  Process: 21296 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 21299 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: name=systemd:/system/httpd.service
           |_____21299 /usr/sbin/httpd -DFOREGROUND
           |_____21300 /usr/libexec/nss_pcache 10289231 on /etc/httpd/alias
           |_____21340 /usr/sbin/httpd -DFOREGROUND
           |_____21341 /usr/sbin/httpd -DFOREGROUND
           |_____21342 /usr/sbin/httpd -DFOREGROUND
Nov 27 16:26:07 server.example.com systemd[1]: Started The Apache HTTP Server.