mutual TLS authentication for Amazon API Gateway - With my existing public key infrastructure (PKI) standard.

0

Hello Team,

I am trying to enable mTLS for Amazon API Gateway for my endpoint, and I have my existing public key (PKI) for my domain (.crt & .key)..While using to upload my existing root CA public key in S3 bucket, I am getting some error like "API Gateway couldn’t build a unique path from the given certificate to a root certificate". I am following the setup using this link,

Ref : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/

Note : I am not using the openssl to generate the RootCA.pem & RootCA.key.

Step 1: (SKIP)

Create the private certificate authority (CA) private and public keys: openssl genrsa -out RootCA.key 4096 openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem

Step 2:

Create client certificate private key and certificate signing request (CSR): openssl genrsa -out my_client.key 2048 openssl req -new -key my_client.key -out my_client.csr

Step 3:

Sign the newly created client cert by using your certificate authority you previously created: openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256

Step 4:

I have a minimum of five files in my directory RootCA.key (root CA private key) RootCA.pem (root CA public key) my_client.csr (client certificate signing request) my_client.key (client certificate private key) my_client.pem (client certificate public key)

Step 5:

Prepare a PEM-encoded trust store file for all certificate authority public keys you want to use with mutual TLS: cp RootCA.pem truststore.pem

Step 6:

Upload the trust store file to an Amazon S3 bucket in the same AWS account as our API Gateway API. aws s3 mb s3://your-name-ca-truststore --region us-east-1 #creates a new S3 bucket – skip if using existing bucket aws s3api put-bucket-versioning --bucket your-name-ca-truststore --versioning-configuration Status=Enabled #enables versioning on S3 bucket aws s3 cp truststore.pem s3://your-name-ca-truststore/truststore.pem #uploads object to S3 bucket

Step 7:

Enabling mutual TLS on a custom domain name I have in AWS API gateway console, While I upload my existing root CA public key in S3 bucket, I am getting some error like

Error : "API Gateway couldn’t build a unique path from the given certificate to a root certificate".

Error : "There is an invalid certificate in your truststore bundle Mutual TLS is still enabled, but some clients might not be able to access your API. Upload a new truststore bundle version to S3, and then update your domain name to use the new version."

2 Answers
0

Hi,

Can you tried to create a RootCA with openSSL, this could be an issue with your RootCA generated without openSSL.

profile pictureAWS
answered 2 years ago
0

Hello Team,

We are about to go live for the client with the mTLS setup on the AWS API gateway. The example what AWS is fine upto sandbox testing. They have created a Root CA private and public keys on their own and also created a client certificate and keys for the sandbox testing. But they are recommented to use domain SSL or secured intermediate certificate not a self created certificates. Whether we need to use our domain SSL certificates as a Root CA certificate or as the client certificate?. I’ve tried to set as a Root CA, but when I try to upload it on the API gateway, it failed says not a valid certificate. Can you please help us on what I’m doing wrong here?..

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions