How do I investigate issues related to the CA bundle for mTLS listeners on the Application Load Balancer?

Lecture de 4 minute(s)

I want to resolve issues related to the Certificate Authority (CA) bundle for mutual TLS (mTLS) in the Application Load Balancer.

Short description

Mutual TLS (mTLS) authentication is a variation of Transport Layer Security (TLS). The Application Load Balancer uses TLS to negotiate mutual authentication between itself and the client.

The Application Load Balancer provides two options for mTLS:

  • Mutual TLS passthrough: The Application Load Balancer uses HTTP headers to send the whole client certificate chain to the target. Use the client certificate chain to implement the corresponding authentication and authorization logic in your application.
  • Mutual TLS verify: The Application Load Balancer performs an X.509 client certificate authentication for clients when it negotiates TLS connections.

Note: An error occurs if any certificate within the CA bundle in the Amazon Elastic Compute Cloud (Amazon EC2) trust store doesn't meet the requirements.



Be sure to check the following:


Make sure that you are within the quota limits for the following:

  • Trust stores
  • CA certificates
  • Certificate Revocation Lists


The Application Load Balancer has requirements for certificates that are used for mutual TLS authentication. For more information on these requirements, see Before you begin configuring mutual TLS on your Application Load Balancer.

Verify that the certificates within the CA bundle meet the conditions listed in the prerequisites

  1. To review every certificate present within the bundle, run the following command:

    gawk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < CertificateBundle.pem

    Note: This command reads the CA .pem file, and then creates a file for every certificate within the file. For example, a CA .pem file that contains two certificates is broken out into two files: cert.1.pem and cert.2.pem

  2. To check the certificate for the required values, run the following command:
    Note: The name for this example is the first certificate located in the CA .pem file (cert.1.pem)

    openssl x509 -in cert.1.pem -text | grep "Subject:" | sed 's/.*CN = /Subject: /' && \
    openssl x509 -in cert.1.pem -text | grep -A 3 "Version:" && \
    openssl x509 -in cert.1.pem -text | grep -A 2 "Validity" && \
    openssl x509 -in cert.1.pem -text | grep -B 1 "RSA Public-Key:" && \
    openssl x509 -in cert.1.pem -text | grep -A 1 "Basic Constraints" && \
    openssl x509 -in cert.1.pem -text | grep -A 1 "X509v3 Extended Key Usage:"

    You receive the following output:
    The subject name of the certificate
    The version of the certificate
    The serial number of the certificate
    The validity period of the certificate
    The public key encryption type and size
    Whether or not the certificate is set to CA
    The extended key usage types

Troubleshooting tip

If any certificates that are present in the CA bundle fail to meet the defined requirements, you receive an error. For example:

Error: "The basic constraints extension must specify that the certificate is for CA"

Example of a certificate that doesn't meet the requirements:

        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha256WithRSAEncryption
            Not Before: Apr  5 00:00:00 2024 GMT
            Not After : Apr  4 23:59:59 2025 GMT
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
            X509v3 Basic Constraints: critical
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

This example uses a version 3 certificate that has the supported signature, public key algorithm, size, validity dates, and the proper extended usage. However, the certificate is marked as CA: FALSE under Basic Constraints. This constraint means that it's a leaf certificate and not a CA certificate.

To use the CA bundle for the EC2 trust store, remove the non-compliant certificate from the bundle. Then, upload the bundle to the S3 bucket again.
Note: You might have more than one certificate that doesn't meet the requirements. Remove each of the non-compliant certificate from the bundle before you upload the CA bundle again.

Related information

How do I identify and resolve client connection issues when I use mTLS with the Application Load Balancer?

How do I use Amazon Athena to query my Application Load Balancer connection logs?

Introducing mTLS for Application Load Balancer

AWS OFFICIELA mis à jour il y a 2 mois