All Products
Search
Document Center

Container Service for Kubernetes:Use HTTPS mutual authentication to enhance service security

Last Updated:Aug 22, 2024

The HTTPS mutual authentication mechanism ensures that the server and client can verify the identity of each other. You can use HTTPS mutual authentication to guarantee service security in the finance, IoT, enterprise internal service, or public service sectors that involve privacy protection or in scenarios where services are exposed only to specific clients.

Comparison between HTTPS one-way authentication and HTTPS mutual authentication

  • HTTPS one-way authentication: The client downloads the SSL or TLS certificate from the server to verify the identity of the server and establishes a secure channel. The server cannot verify the identity of the client.

  • HTTPS mutual authentication: The client downloads the SSL or TLS certificate from the server to verify the identity of the server. Meanwhile, the client sends its SSL or TLS certificate to the server as a proof of its identity. A secure channel is established only after the client and server verify the identity of each other. In most cases, the server holds the root CA certificate and the client holds the SSL or TLS certificate signed and issued based on the root CA certificate. Therefore, the server can verify the identity of the client. Using HTTPS mutual authentication allows you to expose services only to trusted clients, which can prevent man-in-the-middle attacks and enhance service security.

Prerequisites

(Optional) Step 1: Generate a self-signed CA certificate

You can perform the following steps to generate a root CA certificate.

  1. Run the following command to create a private key:

    openssl genrsa -out ca.key 4096
  2. Run the following command to create a certificate signing request (CSR):

    openssl req -new -out ca.csr -key ca.key

    Specify the certificate information after you run the preceding commands. The following sample code block shows the parameters and sample values:

    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:bj
    Locality Name (eg, city) [Default City]:bj
    Organization Name (eg, company) [Default Company Ltd]:alibaba
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your servers hostname) []:root
    Email Address []:a.alibaba.com
    A challenge password []:

    The following table describes the parameters.

    Parameter

    Required

    Description

    Country Name

    Yes

    The country code, which usually consists of two letters, such as cn (China).

    State or Province Name

    Yes

    The name of the province or autonomous region.

    Locality Name

    Yes

    The name of the city.

    Organization Name

    Yes

    The name of the organization, such as the company name.

    Organizational Unit Name

    Yes

    The name of the department.

    Common Name

    No

    A commonly used name.

    Email Address

    No

    The email address used to contact the certificate administrator.

    A challenge password

    No

    The password used to enhance the security of the CSR. In this example, no password is set.

  3. Run the following command to create a root CA certificate:

    openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650

    After the preceding operations are performed, run the ls command to view the private key file and certificate file of the root certificate in the current directory.

    ca.crt ca.csr ca.key

    ca.crt is the root CA certificate file, ca.csr is the CSR file, and ca.key is the private key file.

Step 2: Upload the certificate

  1. Log on to the Certificate Management Service console. In the left-side navigation pane, click Certificate Application Repository.

  2. On the Certificate Application Repository page, click Create Repository. In the Create Repository panel, set the following parameters and click OK.

    Parameter

    Description

    Repository Name

    The name of the repository. You can specify a custom name.

    Data Source

    Select Upload CA Certificates to upload private certificates signed and issued by third-party certificate authorities.

  3. On the Certificate Application Repository page, click the repository that you created. On the Manage Certificates page, click Uploaded Certificates.

  4. In the CA Information panel, set the parameters based on the following table to upload the CA certificate that you created in Step 3 and click Confirm and Enable.

    Parameter

    Description

    Package Name

    Enter a custom name for the certificate that you want to upload.

    CA Certificates

    Enter the content of the private certificate file or select Upload to upload a certificate file.

  5. Click Details on the right side of the certificate and record the certificate identifier.

Step 3: Use the root CA certificate to generate a client certificate

  1. Run the following command to generate a private key for the client certificate:

    openssl genrsa -out client.key 4096
  2. Run the following command to generate a CSR for creating a client certificate:

    openssl req -new -out client.csr -key client.key

    Specify the certificate information after you run the preceding commands. The following sample code block shows the parameters and sample values:

    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:bj
    Locality Name (eg, city) [Default City]:bj
    Organization Name (eg, company) [Default Company Ltd]:alibaba
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your servers hostname) []:root
    Email Address []:a.alibaba.com
    A challenge password []:

    The following table describes the parameters.

    Parameter

    Required

    Description

    Country Name

    Yes

    The country code, which usually consists of two letters, such as cn (China).

    State or Province Name

    Yes

    The name of the province or autonomous region.

    Locality Name

    Yes

    The name of the city.

    Organization Name

    Yes

    The name of the organization, such as the company name.

    Organizational Unit Name

    Yes

    The name of the department.

    Common Name

    No

    A commonly used name.

    Email Address

    No

    The email address used to contact the certificate administrator.

    A challenge password

    No

    The password used to enhance the security of the CSR. In this example, no password is set.

  3. Run the following commands to generate a client certificate:

    openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

    ca.crt and ca.key are the root CA certificate file and private key file.

  4. After the preceding operations are performed, run the ls command to view the generated client certificate in the current directory.

    client.crt client.csr client.key

    client.crt is the client certificate file signed based on the root CA certificate, client.csr is the CSR file, and client.key is the client private key file.

Step 4: Enable and test mutual authentication

  1. Enable mutual authentication for HTTPS listeners.

    1. Run the following command to modify the AlbConfig:

      kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
    2. Add the caEnabled field to the HTTPS listener and set it to true, and add the caCertifates.CertificateId field to the listener and set it to the identifier of the root CA certificate obtained in Step 2.

      apiVersion: alibabacloud.com/v1
      kind: AlbConfig
      metadata:
        name: #...
      spec:
        config:
          #...
        listeners:
        - port: 443
          protocol: HTTPS
          caEnabled: true # Add the caEnabled field and set the value to true.
          caCertificates:
          - CertificateId: 0e40dda998174723af39d37fcaf***** # Specify the identifier of the root CA certificate obtained in Step 2.
          certificates:
            #...
  2. Test mutual authentication.

    1. Run the following command to view Ingress information.

      kubectl get ingress

      Expected output:

      NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
      https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

      Copy the values under HOSTS and ADDRESS for later use.

    2. Run the following command to access the service with the client certificate and private key in this topic. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values obtained in the preceding step.

      curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com --cert client.crt --key client.key

      If the following output is returned, mutual authentication is configured:

      old

(Optional) Step 5: Disable mutual authentication

  1. Run the following command to modify the AlbConfig:

    kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
  2. Set the caEnabled field to false to disable mutual authentication.

    apiVersion: alibabacloud.com/v1
    kind: AlbConfig
    metadata:
      name: #...
    spec:
      config:
        #...
      listeners:
      - port: 443
        protocol: HTTPS
        caEnabled: false # Set the value to false.
        caCertificates:
        - CertificateId: 0e40dda998174723af39d37fcaf*****
        certificates:
          #...

References