- Newest
- Most votes
- Most comments
Your private CA isn't trusted, that is it doesn't appear in the CA certificate bundle of the client that's trying to hit the endpoint.
Mutual TLS Authentication may help you to achieve what it is that you want here https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
Its behaving exacatly how you set it up. A AWS Private CA is techincally a self signed certificate from where you issue more ceritifcates from. The only to have this work I think is to install the certificate chain from the Private CA.
I believe what you should do is to create a Private API Gateway and use an ACM issued certificate instead which is signed by a trusted root certificate.
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html
Relevant content
- Accepted Answerasked 4 years ago
- Accepted Answerasked 6 years ago
- AWS OFFICIALUpdated 7 months ago
I wonder if AWS Private Certificate Authority is not a sufficient CA to establish a connection between ALB and API Gateway custom domain (both of them using the same ACM certificate)?
ALB's do not care about self signed certs btw. They ignore invalid certs