How do I investigate issues related to the CA bundle for mTLS listeners on the Application Load Balancer?

4 minute read

I want to resolve issues related to the Certificate Authority (CA) bundle for mutual TLS (mTLS) in the Application Load Balancer.

Short description

Mutual TLS (mTLS) authentication is a variation of Transport Layer Security (TLS). The Application Load Balancer uses TLS to negotiate mutual authentication between itself and the client.

The Application Load Balancer provides two options for mTLS:

Mutual TLS passthrough: The Application Load Balancer uses HTTP headers to send the whole client certificate chain to the target. Use the client certificate chain to implement the corresponding authentication and authorization logic in your application.
Mutual TLS verify: The Application Load Balancer performs an X.509 client certificate authentication for clients when it negotiates TLS connections.

Note: An error occurs if any certificate within the CA bundle in the Amazon Elastic Compute Cloud (Amazon EC2) trust store doesn't meet the requirements.

Resolution

Prerequisites

Be sure to check the following:

Quotas

Make sure that you are within the quota limits for the following:

Trust stores
CA certificates
Certificate Revocation Lists

Certificates

The Application Load Balancer has requirements for certificates that are used for mutual TLS authentication. For more information on these requirements, see Before you begin configuring mutual TLS on your Application Load Balancer.

Verify that the certificates within the CA bundle meet the conditions listed in the prerequisites

To review every certificate present within the bundle, run the following command:
```
gawk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert." c ".pem"}' < CertificateBundle.pem
```
Note: This command reads the CA .pem file, and then creates a file for every certificate within the file. For example, a CA .pem file that contains two certificates is broken out into two files: cert.1.pem and cert.2.pem

To check the certificate for the required values, run the following command:
Note: The name for this example is the first certificate located in the CA .pem file (cert.1.pem)

openssl x509 -in cert.1.pem -text | grep "Subject:" | sed 's/.*CN = /Subject: /' && \
openssl x509 -in cert.1.pem -text | grep -A 3 "Version:" && \
openssl x509 -in cert.1.pem -text | grep -A 2 "Validity" && \
openssl x509 -in cert.1.pem -text | grep -B 1 "RSA Public-Key:" && \
openssl x509 -in cert.1.pem -text | grep -A 1 "Basic Constraints" && \
openssl x509 -in cert.1.pem -text | grep -A 1 "X509v3 Extended Key Usage:"

You receive the following output:
The subject name of the certificate
The version of the certificate
The serial number of the certificate
The validity period of the certificate
The public key encryption type and size
Whether or not the certificate is set to CA
The extended key usage types

Troubleshooting tip

If any certificates that are present in the CA bundle fail to meet the defined requirements, you receive an error. For example:

Error: "The basic constraints extension must specify that the certificate is for CA"

Example of a certificate that doesn't meet the requirements:

Subject: client.alb-mtls-example.com
        Version: 3 (0x2)
        Serial Number:
            0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f:0f
        Signature Algorithm: sha256WithRSAEncryption
        Validity
            Not Before: Apr  5 00:00:00 2024 GMT
            Not After : Apr  4 23:59:59 2025 GMT
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication

This example uses a version 3 certificate that has the supported signature, public key algorithm, size, validity dates, and the proper extended usage. However, the certificate is marked as CA: FALSE under Basic Constraints. This constraint means that it's a leaf certificate and not a CA certificate.

To use the CA bundle for the EC2 trust store, remove the non-compliant certificate from the bundle. Then, upload the bundle to the S3 bucket again.
Note: You might have more than one certificate that doesn't meet the requirements. Remove each of the non-compliant certificate from the bundle before you upload the CA bundle again.

Related information

How do I use Amazon Athena to query my Application Load Balancer connection logs?

Introducing mTLS for Application Load Balancer

Topics

Networking & Content Delivery

Relevant content

APIGateway with mTLS accepts different client certificates issued by the same CA
Accepted Answer
Stefano Villa
asked 7 months ago
MTLS for ECS Service
Sudha Balaguru
asked 7 months ago
ALB mTLS only on selected endpoints
Adrian
asked 3 months ago
MTLS on api gateway
Live_DevOps
asked a year ago
ALB mTLS support for Targets
Roshan
asked 6 months ago
How do I use AWS private CA to configure mTLS on the Application Load Balancer?
AWS OFFICIALUpdated a month ago
How do I troubleshoot health check issues with the Application Load Balancer type target for a Network Load Balancer?
AWS OFFICIALUpdated 2 months ago
How do I configure my Application Load Balancer TLS/SSL listeners to use ECDSA ciphers?
AWS OFFICIALUpdated a year ago
How do I configure Lambda functions as targets for Application Load Balancers and troubleshoot related issues?
AWS OFFICIALUpdated a year ago
Using AWS Application Load Balancer for Blue / Green Application Migration to VMware Cloud on AWS
EXPERT
Jay Scheponik
published 6 months ago