Chapter 1. Setting up the Apache HTTP web server

1.1. Introduction to the Apache HTTP web server

A web server is a network service that serves content to a client over the web. This typically means web pages, but any other documents can be served as well. Web servers are also known as HTTP servers, as they use the hypertext transport protocol (HTTP).

The Apache HTTP Server, httpd, is an open source web server developed by the Apache Software Foundation.

If you are upgrading from a previous release of Red Hat Enterprise Linux, you have to update the httpd service configuration accordingly. This section reviews some of the newly added features, and guides you through the update of prior configuration files.

1.2. Notable changes in the Apache HTTP Server

RHEL 9 provides version 2.4.48 of the Apache HTTP Server. Notable changes over version 2.4.37 distributed with RHEL 8 include:

  • Apache HTTP Server Control Interface (apachectl):

    • The systemctl pager is now disabled for apachectl status output.
    • The apachectl command now fails instead of giving a warning if you pass additional arguments.
    • The apachectl graceful-stop command now returns immediately.
    • The apachectl configtest command now executes the httpd -t command without changing the SELinux context.
    • The apachectl(8) man page in RHEL now fully documents differences from upstream apachectl.

  • Apache eXtenSion tool (apxs):

    • The /usr/bin/apxs command no longer uses or exposes compiler optimisation flags as applied when building the httpd package. You can now use the /usr/lib64/httpd/build/vendor-apxs command to apply the same compiler flags as used to build httpd. To use the vendor-apxs command, you must install the redhat-rpm-config package first.

  • Apache modules:

    • The mod_lua module is now provided in a separate package.
    • The mod_php module provided with PHP for use with the Apache HTTP Server has been removed. Since RHEL 8, PHP scripts are run using the FastCGI Process Manager (php-fpm) by default. For more information, see Using PHP with the Apache HTTP Server.

  • Configuration syntax changes:

    • In the deprecated Allow directive provided by the mod_access_compat module, a comment (the # character) now triggers a syntax error instead of being silently ignored.

  • Other changes:

    • Kernel thread IDs are now used directly in error log messages, making them both accurate and more concise.
    • Many minor enhancements and bug fixes.
    • Several new interfaces are available to module authors.

There are no backwards-incompatible changes to the httpd module API since RHEL 8.

Apache HTTP Server 2.4 is the initial version of this Application Stream, which you can install easily as an RPM package.

1.3. The Apache configuration files

The httpd, by default, reads the configuration files after start. You can see the list of the locations of configuration files in the table below.

Table 1.1. The httpd service configuration files

PathDescription

/etc/httpd/conf/httpd.conf

The main configuration file.

/etc/httpd/conf.d/

An auxiliary directory for configuration files that are included in the main configuration file.

/etc/httpd/conf.modules.d/

An auxiliary directory for configuration files which load installed dynamic modules packaged in Red Hat Enterprise Linux. In the default configuration, these configuration files are processed first.

Although the default configuration is suitable for most situations, you can use also other configuration options. For any changes to take effect, restart the web server first.

To check the configuration for possible errors, type the following at a shell prompt: 

# apachectl configtest
Syntax OK

To make the recovery from mistakes easier, make a copy of the original file before editing it.

1.4. Managing the httpd service

This section describes how to start, stop, and restart the httpd service.

Prerequisites

  • The Apache HTTP Server is installed.

Procedure

  • To start the httpd service, enter: 

    # systemctl start httpd

  • To stop the httpd service, enter: 

    # systemctl stop httpd

  • To restart the httpd service, enter: 

    # systemctl restart httpd

1.5. Setting up a single-instance Apache HTTP Server

You can set up a single-instance Apache HTTP Server to serve static HTML content.

Follow the procedure if the web server should provide the same content for all domains associated with the server. If you want to provide different content for different domains, set up name-based virtual hosts. For details, see Configuring Apache name-based virtual hosts.

Procedure

  1. Install the httpd package: 

    # dnf install httpd

  2. If you use firewalld, open the TCP port 80 in the local firewall: 

    # firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --reload

  3. Enable and start the httpd service: 

    # systemctl enable --now httpd

  4. Optional: Add HTML files to the /var/www/html/ directory.

    Note

    When adding content to /var/www/html/, files and directories must be readable by the user under which httpd runs by default. The content owner can be the either the root user and root user group, or another user or group of the administrator’s choice. If the content owner is the root user and root user group, the files must be readable by other users. The SELinux context for all the files and directories must be httpd_sys_content_t, which is applied by default to all content within the /var/www directory.

Verification steps

  • Connect with a web browser to http://server_IP_or_host_name/.

    If the /var/www/html/ directory is empty or does not contain an index.html or index.htm file, Apache displays the Red Hat Enterprise Linux Test Page. If /var/www/html/ contains HTML files with a different name, you can load them by entering the URL to that file, such as http://server_IP_or_host_name/example.html.

Additional resources

1.6. Configuring Apache name-based virtual hosts

Name-based virtual hosts enable Apache to serve different content for different domains that resolve to the IP address of the server.

You can set up a virtual host for both the example.com and example.net domain with separate document root directories. Both virtual hosts serve static HTML content.

Prerequisites

  • Clients and the web server resolve the example.com and example.net domain to the IP address of the web server.

    Note that you must manually add these entries to your DNS server.

Procedure

  1. Install the httpd package: 

    # dnf install httpd

  2. Edit the /etc/httpd/conf/httpd.conf file:

    1. Append the following virtual host configuration for the example.com domain: 

      <VirtualHost *:80>
    DocumentRoot "/var/www/example.com/"
    ServerName example.com
    CustomLog /var/log/httpd/example.com_access.log combined
    ErrorLog /var/log/httpd/example.com_error.log
</VirtualHost>

      These settings configure the following:

      • All settings in the <VirtualHost *:80> directive are specific for this virtual host.
      • DocumentRoot sets the path to the web content of the virtual host.

      • ServerName sets the domains for which this virtual host serves content.

        To set multiple domains, add the ServerAlias parameter to the configuration and specify the additional domains separated with a space in this parameter.

      • CustomLog sets the path to the access log of the virtual host.

      • ErrorLog sets the path to the error log of the virtual host.

        Note

        Apache uses the first virtual host found in the configuration also for requests that do not match any domain set in the ServerName and ServerAlias parameters. This also includes requests sent to the IP address of the server.

  3. Append a similar virtual host configuration for the example.net domain: 

    <VirtualHost *:80>
    DocumentRoot "/var/www/example.net/"
    ServerName example.net
    CustomLog /var/log/httpd/example.net_access.log combined
    ErrorLog /var/log/httpd/example.net_error.log
</VirtualHost>

  4. Create the document roots for both virtual hosts: 

    # mkdir /var/www/example.com/
# mkdir /var/www/example.net/

  5. If you set paths in the DocumentRoot parameters that are not within /var/www/, set the httpd_sys_content_t context on both document roots: 

    # semanage fcontext -a -t httpd_sys_content_t "/srv/example.com(/.*)?"
# restorecon -Rv /srv/example.com/
# semanage fcontext -a -t httpd_sys_content_t "/srv/example.net(/.\*)?"
# restorecon -Rv /srv/example.net/

    These commands set the httpd_sys_content_t context on the /srv/example.com/ and /srv/example.net/ directory.

    Note that you must install the policycoreutils-python-utils package to run the restorecon command.

  6. If you use firewalld, open port 80 in the local firewall: 

    # firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --reload

  7. Enable and start the httpd service: 

    # systemctl enable --now httpd

Verification steps

  1. Create a different example file in each virtual host’s document root: 

    # echo "vHost example.com" > /var/www/example.com/index.html
# echo "vHost example.net" > /var/www/example.net/index.html
  2. Use a browser and connect to http://example.com. The web server shows the example file from the example.com virtual host.
  3. Use a browser and connect to http://example.net. The web server shows the example file from the example.net virtual host.

Additional resources

1.7. Configuring Kerberos authentication for the Apache HTTP web server

To perform Kerberos authentication in the Apache HTTP web server, RHEL 9 uses the mod_auth_gssapi Apache module. The Generic Security Services API (GSSAPI) is an interface for applications that make requests to use security libraries, such as Kerberos. The gssproxy service allows to implement privilege separation for the httpd server, which optimizes this process from the security point of view.

Note

The mod_auth_gssapi module replaces the removed mod_auth_kerb module.

Prerequisites

  • The httpd, mod_auth_gssapi and gssproxy packages are installed.
  • The Apache web server is set up and the httpd service is running.

1.7.1. Setting up GSS-Proxy in an IdM environment

This procedure describes how to set up GSS-Proxy to perform Kerberos authentication in the Apache HTTP web server.

Procedure

  1. Enable access to the keytab file of HTTP/<SERVER_NAME>@realm principal by creating the service principal: 

    # ipa service-add HTTP/<SERVER_NAME>

  2. Retrieve the keytab for the principal stored in the /etc/gssproxy/http.keytab file: 

    # ipa-getkeytab -s $(awk '/^server =/ {print $3}' /etc/ipa/default.conf) -k /etc/gssproxy/http.keytab -p HTTP/$(hostname -f)

    This step sets permissions to 400, thus only the root user has access to the keytab file. The apache user does not.

  3. Create the /etc/gssproxy/80-httpd.conf file with the following content: 

    [service/HTTP]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/http.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = apache

  4. Restart and enable the gssproxy service: 

    # systemctl restart gssproxy.service
# systemctl enable gssproxy.service

Additional resources

  • gssproxy(8) man pages
  • gssproxy-mech(8) man pages
  • gssproxy.conf(5) man pages

1.7.2. Configuring Kerberos authentication for a directory shared by the Apache HTTP web server

This procedure describes how to configure Kerberos authentication for the /var/www/html/private/ directory.

Prerequisites

  • The gssproxy service is configured and running.

Procedure

  1. Configure the mod_auth_gssapi module to protect the /var/www/html/private/ directory: 

    <Location /var/www/html/private>
  AuthType GSSAPI
  AuthName "GSSAPI Login"
  Require valid-user
</Location>

  2. Create system unit configuration drop-in file: 

    # systemctl edit httpd.service

  3. Add the following parameter to the system drop-in file: 

    [Service]
Environment=GSS_USE_PROXY=1

  4. Reload the systemd configuration: 

    # systemctl daemon-reload

  5. Restart the httpd service: 

    # systemctl restart httpd.service

Verification steps

  1. Obtain a Kerberos ticket: 

    # kinit
  2. Open the URL to the protected directory in a browser.

1.8. Configuring TLS encryption on an Apache HTTP Server

By default, Apache provides content to clients using an unencrypted HTTP connection. This section describes how to enable TLS encryption and configure frequently used encryption-related settings on an Apache HTTP Server.

Prerequisites

  • The Apache HTTP Server is installed and running.

1.8.1. Adding TLS encryption to an Apache HTTP Server

You can enable TLS encryption on an Apache HTTP Server for the example.com domain.

Prerequisites

  • The Apache HTTP Server is installed and running.

  • The private key is stored in the /etc/pki/tls/private/example.com.key file.

    For details about creating a private key and certificate signing request (CSR), as well as how to request a certificate from a certificate authority (CA), see your CA’s documentation. Alternatively, if your CA supports the ACME protocol, you can use the mod_md module to automate retrieving and provisioning TLS certificates.

  • The TLS certificate is stored in the /etc/pki/tls/certs/example.com.crt file. If you use a different path, adapt the corresponding steps of the procedure.
  • The CA certificate is stored in the /etc/pki/tls/certs/ca.crt file. If you use a different path, adapt the corresponding steps of the procedure.
  • Clients and the web server resolve the host name of the server to the IP address of the web server.
  • If the server runs RHEL 9.2 or later and the FIPS mode is enabled, clients must either support the Extended Master Secret (EMS) extension or use TLS 1.3. TLS 1.2 connections without EMS fail. For more information, see the TLS extension "Extended Master Secret" enforced Knowledgebase article.

Procedure

  1. Install the mod_ssl package: 

    # dnf install mod_ssl

  2. Edit the /etc/httpd/conf.d/ssl.conf file and add the following settings to the <VirtualHost _default_:443> directive:

    1. Set the server name: 

      ServerName example.com
    Important

    The server name must match the entry set in the Common Name field of the certificate.

    1. Optional: If the certificate contains additional host names in the Subject Alt Names (SAN) field, you can configure mod_ssl to provide TLS encryption also for these host names. To configure this, add the ServerAliases parameter with corresponding names: 

      ServerAlias www.example.com server.example.com

    2. Set the paths to the private key, the server certificate, and the CA certificate: 

      SSLCertificateKeyFile "/etc/pki/tls/private/example.com.key"
SSLCertificateFile "/etc/pki/tls/certs/example.com.crt"
SSLCACertificateFile "/etc/pki/tls/certs/ca.crt"

  3. For security reasons, configure that only the root user can access the private key file: 

    # chown root:root /etc/pki/tls/private/example.com.key
# chmod 600 /etc/pki/tls/private/example.com.key
    Warning

    If the private key was accessed by unauthorized users, revoke the certificate, create a new private key, and request a new certificate. Otherwise, the TLS connection is no longer secure.

  4. If you use firewalld, open port 443 in the local firewall: 

    # firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --reload

  5. Restart the httpd service: 

    # systemctl restart httpd
    Note

    If you protected the private key file with a password, you must enter this password each time when the httpd service starts.

Verification steps

  • Use a browser and connect to https://example.com.

Additional resources

1.8.2. Setting the supported TLS protocol versions on an Apache HTTP Server

By default, the Apache HTTP Server on RHEL uses the system-wide crypto policy that defines safe default values, which are also compatible with recent browsers. For example, the DEFAULT policy defines that only the TLSv1.2 and TLSv1.3 protocol versions are enabled in apache.

You can manually configure which TLS protocol versions your Apache HTTP Server supports. Follow the procedure if your environment requires to enable only specific TLS protocol versions, for example:

  • If your environment requires that clients can also use the weak TLS1 (TLSv1.0) or TLS1.1 protocol.
  • If you want to configure that Apache only supports the TLSv1.2 or TLSv1.3 protocol.

Prerequisites

Procedure

  1. Edit the /etc/httpd/conf/httpd.conf file, and add the following setting to the <VirtualHost> directive for which you want to set the TLS protocol version. For example, to enable only the TLSv1.3 protocol: 

    SSLProtocol -All TLSv1.3

  2. Restart the httpd service: 

    # systemctl restart httpd

Verification steps

  1. Use the following command to verify that the server supports TLSv1.3: 

    # openssl s_client -connect example.com:443 -tls1_3

  2. Use the following command to verify that the server does not support TLSv1.2: 

    # openssl s_client -connect example.com:443 -tls1_2

    If the server does not support the protocol, the command returns an error: 

    140111600609088:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1543:SSL alert number 70
  3. Optional: Repeat the command for other TLS protocol versions.

Additional resources

1.8.3. Setting the supported ciphers on an Apache HTTP Server

By default, the Apache HTTP Server uses the system-wide crypto policy that defines safe default values, which are also compatible with recent browsers. For the list of ciphers the system-wide crypto allows, see the /etc/crypto-policies/back-ends/openssl.config file.

You can manually configure which ciphers your Apache HTTP Server supports. Follow the procedure if your environment requires specific ciphers.

Prerequisites

Procedure

  1. Edit the /etc/httpd/conf/httpd.conf file, and add the SSLCipherSuite parameter to the <VirtualHost> directive for which you want to set the TLS ciphers: 

    SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!SHA1:!SHA256"

    This example enables only the EECDH+AESGCM, EDH+AESGCM, AES256+EECDH, and AES256+EDH ciphers and disables all ciphers which use the SHA1 and SHA256 message authentication code (MAC).

  2. Restart the httpd service: 

    # systemctl restart httpd

Verification steps

  1. To display the list of ciphers the Apache HTTP Server supports:

    1. Install the nmap package: 

      # dnf install nmap

    2. Use the nmap utility to display the supported ciphers: 

      # nmap --script ssl-enum-ciphers -p 443 example.com
...
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
...

Additional resources

1.9. Configuring TLS client certificate authentication

Client certificate authentication enables administrators to allow only users who authenticate using a certificate to access resources on the web server. You can configure client certificate authentication for the /var/www/html/Example/ directory.

If the Apache HTTP Server uses the TLS 1.3 protocol, certain clients require additional configuration. For example, in Firefox, set the security.tls.enable_post_handshake_auth parameter in the about:config menu to true. For further details, see Transport Layer Security version 1.3 in Red Hat Enterprise Linux 8.

Prerequisites

Procedure

  1. Edit the /etc/httpd/conf/httpd.conf file and add the following settings to the <VirtualHost> directive for which you want to configure client authentication: 

    <Directory "/var/www/html/Example/">
  SSLVerifyClient require
</Directory>

    The SSLVerifyClient require setting defines that the server must successfully validate the client certificate before the client can access the content in the /var/www/html/Example/ directory.

  2. Restart the httpd service: 

    # systemctl restart httpd

Verification steps

  1. Use the curl utility to access the https://example.com/Example/ URL without client authentication: 

    $ curl https://example.com/Example/
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0

    The error indicates that the web server requires a client certificate authentication.

  2. Pass the client private key and certificate, as well as the CA certificate to curl to access the same URL with client authentication: 

    $ curl --cacert ca.crt --key client.key --cert client.crt https://example.com/Example/

    If the request succeeds, curl displays the index.html file stored in the /var/www/html/Example/ directory.

Additional resources

1.10. Securing web applications on a web server using ModSecurity

ModSecurity is an open source web application firewall (WAF) supported by various web servers such as Apache, Nginx, and IIS, which reduces security risks in web applications. ModSecurity provides customizable rule sets for configuring your server.

The mod_security-crs package contains the core rule set (CRS) with rules against cross-website scripting, bad user agents, SQL injection, Trojans, session hijacking, and other exploits.

1.10.1. Deploying the ModSecurity web-based application firewall for Apache

To reduce risks related to running web-based applications on your web server by deploying ModSecurity, install the mod_security and mod_security_crs packages for the Apache HTTP server. The mod_security_crs package provides the core rule set (CRS) for the ModSecurity web-based application firewall (WAF) module.

Procedure

  1. Install the mod_security, mod_security_crs, and httpd packages: 

    # dnf install -y mod_security mod_security_crs httpd

  2. Start the httpd server: 

    # systemctl restart httpd

Verification

  1. Verify that the ModSecurity web-based application firewall is enabled on your Apache HTTP server: 

    # httpd -M | grep security
 security2_module (shared)

  2. Check that the /etc/httpd/modsecurity.d/activated_rules/ directory contains rules provided by mod_security_crs: 

    # ls /etc/httpd/modsecurity.d/activated_rules/
...
REQUEST-921-PROTOCOL-ATTACK.conf
REQUEST-930-APPLICATION-ATTACK-LFI.conf
...

Additional resources

1.10.2. Adding a custom rule to ModSecurity

If the rules contained in the ModSecurity core rule set (CRS) do not fit your scenario and if you want to prevent additional possible attacks, you can add your custom rules to the rule set used by the ModSecurity web-based application firewall. The following example demonstrates the addition of a simple rule. For creating more complex rules, see the reference manual on the ModSecurity Wiki website.

Prerequisites

  • ModSecurity for Apache is installed and enabled.

Procedure

  1. Open the /etc/httpd/conf.d/mod_security.conf file in a text editor of your choice, for example: 

    # vi /etc/httpd/conf.d/mod_security.conf

  2. Add the following example rule after the line starting with SecRuleEngine On: 

    SecRule ARGS:data "@contains evil" "deny,status:403,msg:'param data contains evil data',id:1"

    The previous rule forbids the use of resources to the user if the data parameter contains the evil string.

  3. Save the changes, and quit the editor.

  4. Restart the httpd server: 

    # systemctl restart httpd

Verification

  1. Create a test.html page: 

    # echo "mod_security test" > /var/www/html/test.html

  2. Restart the httpd server: 

    # systemctl restart httpd

  3. Request test.html without malicious data in the GET variable of the HTTP request: 

    $ curl http://localhost/test.html?data=good

mod_security test

  4. Request test.html with malicious data in the GET variable of the HTTP request: 

    $ curl localhost/test.html?data=xxxevilxxx

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You do not have permission to access this resource.</p>
</body></html>

  5. Check the /var/log/httpd/error_log file, and locate the log entry about denying access with the param data containing an evil data message: 

    [Wed May 25 08:01:31.036297 2022] [:error] [pid 5839:tid 139874434791168] [client ::1:45658] [client ::1] ModSecurity: Access denied with code 403 (phase 2). String match "evil" at ARGS:data. [file "/etc/httpd/conf.d/mod_security.conf"] [line "4"] [id "1"] [msg "param data contains evil data"] [hostname "localhost"] [uri "/test.html"] [unique_id "Yo4amwIdsBG3yZqSzh2GuwAAAIY"]

Additional resources

1.11. Installing the Apache HTTP Server manual

You can install the Apache HTTP Server manual. This manual provides a detailed documentation of, for example:

  • Configuration parameters and directives
  • Performance tuning
  • Authentication settings
  • Modules
  • Content caching
  • Security tips
  • Configuring TLS encryption

After installing the manual, you can display it using a web browser.

Prerequisites

  • The Apache HTTP Server is installed and running.

Procedure

  1. Install the httpd-manual package: 

    # dnf install httpd-manual

  2. Optional: By default, all clients connecting to the Apache HTTP Server can display the manual. To restrict access to a specific IP range, such as the 192.0.2.0/24 subnet, edit the /etc/httpd/conf.d/manual.conf file and add the Require ip 192.0.2.0/24 setting to the <Directory "/usr/share/httpd/manual"> directive: 

    <Directory "/usr/share/httpd/manual">
...
    Require ip 192.0.2.0/24
...
</Directory>

  3. Restart the httpd service: 

    # systemctl restart httpd

Verification steps

  1. To display the Apache HTTP Server manual, connect with a web browser to http://host_name_or_IP_address/manual/

1.12. Working with Apache modules

The httpd service is a modular application, and you can extend it with a number of Dynamic Shared Objects (DSOs). Dynamic Shared Objects are modules that you can dynamically load or unload at runtime as necessary. You can find these modules in the /usr/lib64/httpd/modules/ directory.

1.12.1. Loading a DSO module

As an administrator, you can choose the functionality to include in the server by configuring which modules the server should load. To load a particular DSO module, use the LoadModule directive. Note that modules provided by a separate package often have their own configuration file in the /etc/httpd/conf.modules.d/ directory.

Prerequisites

  • You have installed the httpd package.

Procedure

  1. Search for the module name in the configuration files in the /etc/httpd/conf.modules.d/ directory: 

    # grep mod_ssl.so /etc/httpd/conf.modules.d/*

  2. Edit the configuration file in which the module name was found, and uncomment the LoadModule directive of the module: 

    LoadModule ssl_module modules/mod_ssl.so

  3. If the module was not found, for example, because a RHEL package does not provide the module, create a configuration file, such as /etc/httpd/conf.modules.d/30-example.conf with the following directive: 

    LoadModule ssl_module modules/<custom_module>.so

  4. Restart the httpd service: 

    # systemctl restart httpd

1.12.2. Compiling a custom Apache module

You can create your own module and build it with the help of the httpd-devel package, which contains the include files, the header files, and the APache eXtenSion (apxs) utility required to compile a module.

Prerequisites

  • You have the httpd-devel package installed.

Procedure

  • Build a custom module with the following command: 

    # apxs -i -a -c module_name.c

Verification steps

1.13. Exporting a private key and certificates from an NSS database to use them in an Apache web server configuration

Since RHEL 8 we no longer provide the mod_nss module for the Apache web server, and Red Hat recommends using the mod_ssl module. If you store your private key and certificates in a Network Security Services (NSS) database, follow this procedure to extract the key and certificates in Privacy Enhanced Mail (PEM) format.

1.14. Additional resources