APIGateway with mTLS accepts different client certificates issued by the same CA


I'm trying to set up an API in APIGateway with mTLS. I built the truststore file composing the RootCA - IntermediateCA - ClientCertificate. The client can make calls to the API, but it seems that the API accepts multiple certificates signed by the same CA. I don't understand:

  • what should I put in the truststore?
  • at step 6 in this guide it sais:

Upload the RootCA.pem to the Amazon S3 bucket truststore. I don't understand why should I do that.

Thank you

1 Answer
Accepted Answer

You must include the complete chain of trust, starting from the issuing CA certificate, up to the root CA certificate, in your truststore.

What you are seeing is normal behaviour

API Gateway accepts client certificates issued by any CA present in the chain of trust.

What you require is a way to revoke the client certs:

Adding a certificate revocation list

AWS Certificate Manager Private Certificate Authority (ACM Private CA) can be natively configured with an optional certificate revocation list (CRL).

CRL is a way for certificate authority (CA) to make it known that one or more of their digital certificates is no longer trustworthy. When they revoke a certificate, they invalidate the certificate ahead of its expiration date. The certificate authority can revoke an issued certificate for several reasons, the most common one being that the certificate’s private key are compromised.

API Gateway HTTP APIs mTLS setup can be used along with all existing API Gateway authorizer options. You can further extend validation to AWS Lambda authorizers, which can be configured to validate the client certificates against this certificate revocation list (CRL).

Some info here https://aws.amazon.com/blogs/compute/automating-mutual-tls-setup-for-amazon-api-gateway/ https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html#rest-api-mutual-tls-prerequisites

profile picture
answered 8 months ago
profile pictureAWS
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions