How do I use AWS private CA to configure mTLS on the Application Load Balancer?

Resolution

Follow these steps to create a private CA for mTLS authentication in the AWS Management Console.

Create Application Load Balancer with HTTPS listener

Create an HTTPS listener for your Application Load Balancer.

Use AWS private CA to create the root CA certificate bundle

1. Log in to the AWS Management Console.
2. Go to AWS private Certificate Authority.
3. Choose Create private CA. Select Root CA, and then fill in the details. Keep the rest as default. Choose Private CA.
4. Choose Actions. Then, choose Install CA certificate.
5. Select Expiry, and then confirm your choice. Then, choose Install.

Use AWS private CA to create two subordinate CAs

After you install the root CA, create two more subordinate CAs. Then, use these CAs to issue end entity certificates.
Note: You can create up to four subordinate certificates on the Application Load Balancer. For more information on CA hierarchy, see Designing a CA hierarchy.

Create a subordinate CA1

Complete these steps on the AWS Management Console:

1. Go to AWS private Certificate Authority, and then choose Create private CA.
2. Select Subordinate CA, and then fill in the details. Choose Create CA.
   Note: Make sure to enter a different Subject Distinguished CA Name (for example, Common name (CN) as SubCA1) in the field for the details.
3. Choose Actions. Then, choose Install CA certificate.
4. Select Root CA as the Parent CA.
5. Select Expiry and confirm your choice. Then, choose Install.
   Note: Make sure that the expiry date is lower than the one assigned to Root CA.
6. Select path length as 1 or 2 for adding more subordinate certs. Or, keep it as 0, based on your use case.

Create subordinate CA2

Complete the following steps:

1. Follow steps 1-3 that you used earlier to create subordinate CA1.
2. Select Subordinate CA1 as the Parent CA.
   Note: For step 2, enter a different Subject Distinguished CA Name (for example, Common name(CN) as SubCA2) in the field for the details.
3. Specify Expiry and confirm. Then, choose Install.
   Note: Make sure the expiry date is lower than the one assigned to subordinate CA1.

You now have Root CA (Level 1) that signs subordinate CA1 (Level 2). Subordinate CA1 in turn signs subordinate CA2 (Level 3)
Note: The maximum certificate chain depth for the Application Load Balancer is four.

Upload the certificate bundle to Amazon Simple Storage Service

Complete these steps on the AWS Management Console:

1. Create a file named CABundle.pem, and then copy the certificate chain and certificate body from subordinate CA2. (Certificate chain, Certificate body in this order)
2. Create an Amazon S3 bucket with the required policy. For example:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
                   "Service": "acm-pca.amazonaws.com"
               },
               "Action": [
                   "s3:PutObject",
                   "s3:PutObjectAcl",
                   "s3:GetBucketAcl",
                   "s3:GetBucketLocation"
               ],
               "Resource": [
                   "arn:aws:s3:::<bucket-name>/*",
                   "arn:aws:s3:::<bucket-name>"
               ],
               "Condition": {
                   "StringEquals": {
                       "aws:SourceAccount": "Your Acc Id",
                       "aws:SourceArn": arn:aws:acm-pca:us-east-1:<AccountID>:certificate-authority/abcde-efgh-45dd-b564-1234abcd"
                   }
               }
           }
       ]
   }

   Note : Replace <AccountID:certificate-authority/abcde-efgh-45dd-b564-1234abcd> with your account number and the Amazon Resource Name (ARN) of the subordinate CA2.
3. Upload CABundle.pem to your Amazon 3 bucket.

Create a trust store, and then associate it with the mTLS-activated listener

1. Create a trust store.
2. Associate the trust store with the mTLS listener on the Application Load Balancer.

Use the private CA to issue a client certificate

1. Use the following AWS Command Line Interface (AWS CLI) command to create a certificate signing request (CSR):

   openssl req -out client_csr1.pem -new -newkey rsa:2048 -nodes -keyout client_private-key1.pem 

   This command returns the CSR and the private key.
   Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

2. Issue a certificate using the AWS private CA that you just created:

   aws acm-pca issue-certificate \
         --certificate-authority-arn arn:aws:acm-pca:us-east-1:679542158453:certificate-authority/c929c98e-f0e8-45dd-b564-e2bb5b121b88 \
         --csr fileb://client_csr1.pem \
         --signing-algorithm "SHA256WITHRSA" \
         --validity Value=30,Type="DAYS" 

   This command returns the certificate's ARN.

3. Issue the certificate:

   aws acm-pca get-certificate \
         --certificate-authority-arn arn:aws:acm-pca:us-east-1:679542158453:certificate-authority/c929c98e-f0e8-45dd-b564-e2bb5b121b88 \
         --certificate-arn arn:aws:acm-pca:us-east-1:679542158453:certificate-authority/c929c98e-f0e8-45dd-b564-e2bb5b121b88/certificate/add80c25606b48fcd3c4472ae0962125 | \
         jq -r .'Certificate' > client_cert1.cert

Test mTLS

Pass the client certificate that you created in the request. If the process is successful, then you completed the two-way authentication. The load balancer authenticated the client certificate at the same time as the client authenticated the load balancer's certificate.

curl -ivk --cert client_cert1.cert --key client_private-key1.pem https://<elb-name>

Test certificate revocation

If an issued certificate is compromised or no longer required, revoke the certificate using the certificate revocation list (CRL). When you use an AWS private CA, you automatically create the .CRL file when you activate the CRL distribution.

To activate the CRL distribution on the AWS Management Console:

1. Go to subordinate CA2.
2. Choose Revocation configuration, and then select Activate CRL distribution.
3. Use the same S3 bucket as earlier, and then select Create. This creates a test file named acm-pca-permission-test-key-private if your S3 bucket policy is set correctly.

Revoke the certificate

To revoke a certificate, you must first get the serial number of the issued certificate.

1. To get the serial number, use the following AWS CLI command:

   openssl x509 -in   client_cert1.cert -text -noout  

2. Issue the revoke certificate command

   aws acm-pca revoke-certificate --certificate-authority-arn arn:aws:acm-pca:us-east-1:679542158453:certificate-authority/c929c98e-f0e8-45dd-b564-e2bb5b121b88 --certificate-serial ad:d8:0c:25:60:6b:48:fc:d3:c4:47:2a:e0:96:21:25 --revocation-reason "KEY_COMPROMISE" 

   This action creates a .CRL file in the S3 bucket. Note that it can take up to 30 minutes to create the .CRL file.

Update the trust store with the CRL file

Convert the file format

Use the AWS CLI command to change the file format:

Convert the .CRL in the S3 bucket to .pem format.
Note: The Application Load Balancer supports only CRL in the .pem format.

openssl crl -in revoked.crl -inform DER -out revoked_crl_in_pem.crl

Update the trust store

Complete these steps to update the trust store in the AWS Management Console:

1. Log in to the AWS Management Console.
2. Go to the Trust store.
3. Go to Certificate Revocation Lists. Select Add Revocation List.
4. Choose Browse S3. Then, select the .CRL file in the .pem format from the S3 bucket that you used earlier.
5. Choose Upload.

Note: Rerun the Test mTLS step. Note that mTLS authentication fails because you revoked the issued certificate.

You can also repeat the step Use the private CA to issue client certificates to issue multiple certificate and verify mTLS.