Mutual TLS with Commercial Client Certificates


I have setup and configured an API Gateway for using mutual TLS using the AWS documentation and it is working fine. I am trying to understand if it is possible/practical to use commercial/public CA's for generating the client certificates that are used in this context. While I understand that it would be technically possible, given that only the CA certificate goes into the truststore that is used to determine which client certificates are considered valid, it would seem that ANY client certificate issued by that commercial/public CA would pass that check ... hence, does that mean that in practice only self signed client certificates should be used with this solution or is there a 'secure' way for client certs from commercial/public CA's to work as well?

2 Answers

It is recommended to use a Private Certificate Authority that you have control over. The ensures that only Clients that you have issued certificates to can connect to your service. Using a third party Public CA mean that ANY client that has a certificate issued by this CA will be able to connect to your service. Assuming the whole point of mtls is that you can trust the client, and know them then it must be a private CA that issued the cert.

answered 5 months ago

If I'm reading this correctly, you're asking if the client certificate can be generated by a CA, not by AWS?

From the documentation: "You can use API Gateway to generate an SSL certificate and then use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway."

So Client Cert is downloaded to your system, to authenticate a request from AWS API Gateway... can you dig into why you'd want a separate trusted authority?

If you're asking about a non-AWS cert, you can upload that into AWS Certificate Manager

answered 2 years ago
  • If I understand the documentation link that you provided, this is for having the API Gateway itself provide a client certificate to some backend service though http (presumably using mTLS) ... what I am asking about is when external systems are talking to the API Gateway through mutual TLS. In this situation, it is these external systems that need to provide a client certificate to the API Gateway as documented here: As per this link, validation of the incoming client certs is via a truststore containing the appropriate CA(s) and it is these client certs that I am asking about here.

  • I think I'm with you now - thanks. If you want to restrict the custom API gateway domain to only your resources, make it a very tiny truststore (i.e. just your certs). If you want to let anyone ping your API gateway (think of some kind of a service provider), then you can open the truststore to any CA that you'd like. You'll want to evaluate your business case for API gateway (and all resources), in the lens of least privileges.

  • Can you clarify what exactly you mean by "make it a very tiny truststore (i.e. just your certs)"? As per the documentation I referenced above for setting up mTLS, you just put the relevant CA certs in the truststore ... so I can have a very 'tiny' truststore that only contains the single CA cert for some commercial CA, however, now any incoming request containing a client cert signed by that commercial CA would be allowed to pass through to my service? Can I somehow restrict it to only client certs that I have handed out from this commercial CA ... OR as I state in my original question, is the only way to do that by using self signed client certs?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions