- Newest
- Most votes
- Most comments
You must include the complete chain of trust, starting from the issuing CA certificate, up to the root CA certificate, in your truststore.
What you are seeing is normal behaviour
API Gateway accepts client certificates issued by any CA present in the chain of trust.
What you require is a way to revoke the client certs:
Adding a certificate revocation list
AWS Certificate Manager Private Certificate Authority (ACM Private CA) can be natively configured with an optional certificate revocation list (CRL).
CRL is a way for certificate authority (CA) to make it known that one or more of their digital certificates is no longer trustworthy. When they revoke a certificate, they invalidate the certificate ahead of its expiration date. The certificate authority can revoke an issued certificate for several reasons, the most common one being that the certificate’s private key are compromised.
API Gateway HTTP APIs mTLS setup can be used along with all existing API Gateway authorizer options. You can further extend validation to AWS Lambda authorizers, which can be configured to validate the client certificates against this certificate revocation list (CRL).
Some info here https://aws.amazon.com/blogs/compute/automating-mutual-tls-setup-for-amazon-api-gateway/ https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html#rest-api-mutual-tls-prerequisites
Relevant content
- asked 2 years ago
- asked 3 months ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated a year ago
Thank you for your answer! Is there any method to accept just a specific client certificate?
I dont believe so.. I have just updated the answer, You would have to maint a CRL to block certificates you no longer wish to allow access.
Some info here https://aws.amazon.com/blogs/compute/automating-mutual-tls-setup-for-amazon-api-gateway/ https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html#rest-api-mutual-tls-prerequisites