To generate the private key, the cs_pkcs11 engine is used. A command like this has to be performed:
|
|
The command uses the URI to locate the private key inside the HSM and writes a reference into a file that looks like a key, the reference to the private key. This file containing the reference can be used in the configuration of Apache, so that Apache uses for https the real private key stored safely inside the HSM.
The URI syntax is like in rfc7512, except that it begins with keyref: instead of pkcs11: and if you want to specify the file where the reference key is generated, this has to be the last parameter with the name file. If parameter file is not specified, the reference key will be created in /tmp/ref.key.pem.