By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use a non AWS issued certificate for API Gateway with mTLS

0

Hello

I want to use an imported certificate for TLS for my custom domain in API Gateway, and enable mTLS The environment is all configured with Terraform I've imported the certificate into ACM (Publically trusted cert), but i can't enable mTLS without using a OwnershipVerificationCertificate, which it seems can only be issued by AWS

Why is this needed only when mTLS is selected, it doesn't seem to have any bearing on domain ownership if we use mTLS or not? Can you not use the pubicaly trusted certificate imported into ACM, as that is already proof that we control the domain

The issue for us, is this will then put a manual step in to renew this OwnershipVerificationCertificate certificate, which of course will need to be monitored for expiry (the imported certs use ACME to renew, so can be automated)

Hopefully i'm not understanding this fully, else it seems unnecessarily complex

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAWS Certificate Manager
Language
English
David King
asked 2 months ago176 views
6 Answers
0

Hello,

Check the following links for more details - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html

Thanks

Abhinav Chauhan
answered 2 months ago
0

Thank you for the link, but i'm afraid that doesn't answer my question

Can we answer why this is needed? and if we are able to use our imported public certificate as the OwnershipVerificationCertificate

David King
answered 2 months ago
0

Hello,

API Gateway mandates the provision of an "ownership verification certificate" alongside the server certificate. This certificate is exclusively utilized to confirm domain ownership and isn't involved in the TLS handshake process. This certificate must be issued by an AWS-trusted certificate authority such as ACM. Even if a publicly-trusted certificate is employed for the server, API Gateway requires the ownership certificate to validate domain control. It's important to note that the ownership certificate is distinct from the server/client certificates utilized in the TLS handshake and is solely utilized to demonstrate domain ownership to API Gateway.

I hope this one provides more clarity to you

Thanks

Abhinav Chauhan
answered 2 months ago
0

Thanks for responding

Just to confirm, when you say "This certificate must be issued by an AWS-trusted certificate authority such as ACM", that i'm able to use an imported (i.e. not issued by ACM) a publicly trusted certificate to ACM for the "ownership verification certificate"? but it can't be the same cert as the one used for TLS?

I've tried doing this, but still getting the following error: "BadRequestException: Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate."

Is this a problem with the cert i'm trying to import?

Thanks

David King
answered 2 months ago
0

I'd also be interested to know why the "ownership verification certificate" is only required when mTLS is enabled, i don't understand why mTLS would require the domain be validated

David King
answered 2 months ago
0

Would anyone be able to help with this?

Thanks David

David King
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content