Hello Team,
I am trying to enable mTLS for Amazon API Gateway for my endpoint, and I have my existing public key (PKI) for my domain (.crt & .key)..While using to upload my existing root CA public key in S3 bucket, I am getting some error like "API Gateway couldn’t build a unique path from the given certificate to a root certificate". I am following the setup using this link,
Ref : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/
Note : I am not using the openssl to generate the RootCA.pem & RootCA.key.
Step 1: (SKIP)
Create the private certificate authority (CA) private and public keys:
openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem
Step 2:
Create client certificate private key and certificate signing request (CSR):
openssl genrsa -out my_client.key 2048
openssl req -new -key my_client.key -out my_client.csr
Step 3:
Sign the newly created client cert by using your certificate authority you previously created:
openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256
Step 4:
I have a minimum of five files in my directory
RootCA.key (root CA private key)
RootCA.pem (root CA public key)
my_client.csr (client certificate signing request)
my_client.key (client certificate private key)
my_client.pem (client certificate public key)
Step 5:
Prepare a PEM-encoded trust store file for all certificate authority public keys you want to use with mutual TLS:
cp RootCA.pem truststore.pem
Step 6:
Upload the trust store file to an Amazon S3 bucket in the same AWS account as our API Gateway API.
aws s3 mb s3://your-name-ca-truststore --region us-east-1 #creates a new S3 bucket – skip if using existing bucket
aws s3api put-bucket-versioning --bucket your-name-ca-truststore --versioning-configuration Status=Enabled #enables versioning on S3 bucket
aws s3 cp truststore.pem s3://your-name-ca-truststore/truststore.pem #uploads object to S3 bucket
Step 7:
Enabling mutual TLS on a custom domain name I have in AWS API gateway console,
While I upload my existing root CA public key in S3 bucket, I am getting some error like
Error : "API Gateway couldn’t build a unique path from the given certificate to a root certificate".
Error : "There is an invalid certificate in your truststore bundle
Mutual TLS is still enabled, but some clients might not be able to access your API. Upload a new truststore bundle version to S3, and then update your domain name to use the new version."