Configure HTTPS mutual authentication for ALB Ingresses to enhance service security - Container Service for Kubernetes

The HTTPS mutual authentication mechanism ensures that the server and client can verify the identity of each other. You can use HTTPS mutual authentication to guarantee service security in the finance, IoT, enterprise internal service, or public service sectors that involve privacy protection or in scenarios where services are exposed only to specific clients.

Comparison between HTTPS one-way authentication and HTTPS mutual authentication

HTTPS one-way authentication: The client downloads the SSL or TLS certificate from the server to verify the identity of the server and establishes a secure channel. The server cannot verify the identity of the client.
HTTPS mutual authentication: The client downloads the SSL or TLS certificate from the server to verify the identity of the server. Meanwhile, the client sends its SSL or TLS certificate to the server as a proof of its identity. A secure channel is established only after the client and server verify the identity of each other. In most cases, the server holds the root CA certificate and the client holds the SSL or TLS certificate signed and issued based on the root CA certificate. Therefore, the server can verify the identity of the client. Using HTTPS mutual authentication allows you to expose services only to trusted clients, which can prevent man-in-the-middle attacks and enhance service security.

Prerequisites

An SSL or TLS certificate is configured by following the steps in Configure HTTPS certificates for encrypted communication.
A root CA certificate is obtained. You can obtain a root CA certificate in one of the following ways:
- Purchase a certificate in the Certificate Management Service console. For more information, see Purchase and enable a private CA.
- (Optional) Follow the steps in (Optional) Step 1: Generate a self-signed CA certificate to generate a self-signed certificate.

(Optional) Step 1: Generate a self-signed CA certificate

You can perform the following steps to generate a root CA certificate.

Run the following command to create a private key:
```
openssl genrsa -out ca.key 4096
```

Run the following command to create a certificate signing request (CSR):

openssl req -new -out ca.csr -key ca.key

Specify the certificate information after you run the preceding commands. The following sample code block shows the parameters and sample values:

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your servers hostname) []:root
Email Address []:a.alibaba.com
A challenge password []:

The following table describes the parameters.

Parameter	Required	Description
Country Name	Yes	The country code, which usually consists of two letters, such as cn (China).
State or Province Name	Yes	The name of the province or autonomous region.
Locality Name	Yes	The name of the city.
Organization Name	Yes	The name of the organization, such as the company name.
Organizational Unit Name	Yes	The name of the department.
Common Name	No	A commonly used name.
Email Address	No	The email address used to contact the certificate administrator.
A challenge password	No	The password used to enhance the security of the CSR. In this example, no password is set.

Run the following command to create a root CA certificate:
```
openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650
```
After the preceding operations are performed, run the ls command to view the private key file and certificate file of the root certificate in the current directory.
```
ca.crt ca.csr ca.key
```
ca.crt is the root CA certificate file, ca.csr is the CSR file, and ca.key is the private key file.

Step 2: Upload the certificate

Log on to the Certificate Management Service console. In the left-side navigation pane, click Certificate Application Repository.

On the Certificate Application Repository page, click Create Repository. In the Create Repository panel, set the following parameters and click OK.

Parameter	Description
Repository Name	The name of the repository. You can specify a custom name.
Data Source	Select Upload CA Certificates to upload private certificates signed and issued by third-party certificate authorities.

On the Certificate Application Repository page, click the repository that you created. On the Manage Certificates page, click Uploaded Certificates.

In the CA Information panel, set the parameters based on the following table to upload the CA certificate that you created in Step 3 and click Confirm and Enable.

Parameter	Description
Package Name	Enter a custom name for the certificate that you want to upload.
CA Certificates	Enter the content of the private certificate file or select Upload to upload a certificate file.

Click Details on the right side of the certificate and record the certificate identifier.

Step 3: Use the root CA certificate to generate a client certificate

Run the following command to generate a private key for the client certificate:
```
openssl genrsa -out client.key 4096
```

Run the following command to generate a CSR for creating a client certificate:

openssl req -new -out client.csr -key client.key

Specify the certificate information after you run the preceding commands. The following sample code block shows the parameters and sample values:

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your servers hostname) []:root
Email Address []:a.alibaba.com
A challenge password []:

The following table describes the parameters.

Parameter	Required	Description
Country Name	Yes	The country code, which usually consists of two letters, such as cn (China).
State or Province Name	Yes	The name of the province or autonomous region.
Locality Name	Yes	The name of the city.
Organization Name	Yes	The name of the organization, such as the company name.
Organizational Unit Name	Yes	The name of the department.
Common Name	No	A commonly used name.
Email Address	No	The email address used to contact the certificate administrator.
A challenge password	No	The password used to enhance the security of the CSR. In this example, no password is set.

Run the following commands to generate a client certificate:
```
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
```
ca.crt and ca.key are the root CA certificate file and private key file.
After the preceding operations are performed, run the ls command to view the generated client certificate in the current directory.
```
client.crt client.csr client.key
```
client.crt is the client certificate file signed based on the root CA certificate, client.csr is the CSR file, and client.key is the client private key file.

Step 4: Enable and test mutual authentication

Enable mutual authentication for HTTPS listeners.

Run the following command to modify the AlbConfig:

kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

Add the caEnabled field to the HTTPS listener and set it to true, and add the caCertifates.CertificateId field to the listener and set it to the identifier of the root CA certificate obtained in Step 2.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    caEnabled: true # Add the caEnabled field and set the value to true.
    caCertificates:
    - CertificateId: 0e40dda998174723af39d37fcaf***** # Specify the identifier of the root CA certificate obtained in Step 2.
    certificates:
      #...

Test mutual authentication.
1. Run the following command to view Ingress information.
```
kubectl get ingress
```
  Expected output:
```
NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m
```
  Copy the values under HOSTS and ADDRESS for later use.
2. Run the following command to access the service with the client certificate and private key in this topic. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.
```
curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com --cert client.crt --key client.key
```
  If the following output is returned, mutual authentication is configured:
```
old
```

(Optional) Step 5: Disable mutual authentication

Run the following command to modify the AlbConfig:

kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.

Set the caEnabled field to false to disable mutual authentication.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    caEnabled: false # Set the value to false.
    caCertificates:
    - CertificateId: 0e40dda998174723af39d37fcaf*****
    certificates:
      #...

References

To enable HTTP/3 for listeners, see Use a QUIC listener to support HTTP/3.
If your web service is vulnerable to intrusions or requires higher security, you can use WAF-enabled Application Load Balancer (ALB) instances. For more information, see Use WAF-enabled ALB instances to protect applications.