By using AWS re:Post, you agree to the Terms of Use

Which AWS architecture solution is used to validate the client's certificate ?

0

For example, we are using Route 53 + ACM + ALB + ECS.

With this set of services, could you explain how to enable client's certificate validation ?

More precisely :

The goal is to establish a mutual authentication between the application and the clients : the application entry point is the Application Load Balancer, the clients come from the Internet.

The application needs to guarantee the client identity from their certificate.

We know that we can create an HTTPS listener for the Application Load Balancer (ALB).

Now, how to go further and establish mutual authentication, i.e. to require and to validate client certificates ?

Thank you for your expertise.

2 Answers
1
Accepted Answer

AFAIK mTLS is not supported on ALB since it always terminates the TLS connection. You can use a NLB instead to redirect the L4 traffic to a server which can deal with mTLS such as NGINX.

Hope it helps.

profile picture
answered 2 months ago
  • It technically solves the problem, but it leaves the responsibility to the application to manage the certificates itself and it remains moderately acceptable from a "security in depth" point of view. Thanks to the author of the answer.

0

Not sure if I understand your question correctly but You can use API gateway to configure client-side SSL authentication for sending requests to the integration endpoint (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-clientcertificate.html ) . For your own public domain You can configure certificate validation by DNS or Email validation. Validation is done by the server the same way the client validates the server's certificate through a signed certificate .Certificates managed in ACM use RSA keys with a 2048-bit modulus and SHA-256.

answered 2 months ago
  • Thank you for your answer. We have added clarifications to the question because we do not think you are answering the question.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions