The HTTPS mutual authentication mechanism ensures that the server and client can verify the identity of each other. You can use HTTPS mutual authentication to guarantee service security in the finance, IoT, enterprise internal service, or public service sectors that involve privacy protection or in scenarios where services are exposed only to specific clients.
Comparison between HTTPS one-way authentication and HTTPS mutual authentication
HTTPS one-way authentication: The client downloads the SSL or TLS certificate from the server to verify the identity of the server and establishes a secure channel. The server cannot verify the identity of the client.
HTTPS mutual authentication: The client downloads the SSL or TLS certificate from the server to verify the identity of the server. Meanwhile, the client sends its SSL or TLS certificate to the server as a proof of its identity. A secure channel is established only after the client and server verify the identity of each other. In most cases, the server holds the root CA certificate and the client holds the SSL or TLS certificate signed and issued based on the root CA certificate. Therefore, the server can verify the identity of the client. Using HTTPS mutual authentication allows you to expose services only to trusted clients, which can prevent man-in-the-middle attacks and enhance service security.
Prerequisites
An SSL or TLS certificate is configured by following the steps in Configure HTTPS certificates for encrypted communication.
A root CA certificate is obtained. You can obtain a root CA certificate in one of the following ways:
Purchase a certificate in the Certificate Management Service console. For more information, see Purchase and enable a private CA.
(Optional) Follow the steps in (Optional) Step 1: Generate a self-signed CA certificate to generate a self-signed certificate.
(Optional) Step 1: Generate a self-signed CA certificate
You can perform the following steps to generate a root CA certificate.
Run the following command to create a private key:
openssl genrsa -out ca.key 4096
Run the following command to create a certificate signing request (CSR):
openssl req -new -out ca.csr -key ca.key
Specify the certificate information after you run the preceding commands. The following sample code block shows the parameters and sample values:
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:root Email Address []:a.alibaba.com A challenge password []:
The following table describes the parameters.
Parameter
Required
Description
Country Name
Yes
The country code, which usually consists of two letters, such as cn (China).
State or Province Name
Yes
The name of the province or autonomous region.
Locality Name
Yes
The name of the city.
Organization Name
Yes
The name of the organization, such as the company name.
Organizational Unit Name
Yes
The name of the department.
Common Name
No
A commonly used name.
Email Address
No
The email address used to contact the certificate administrator.
A challenge password
No
The password used to enhance the security of the CSR. In this example, no password is set.
Run the following command to create a root CA certificate:
openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650
After the preceding operations are performed, run the
ls
command to view the private key file and certificate file of the root certificate in the current directory.ca.crt ca.csr ca.key
ca.crt
is the root CA certificate file,ca.csr
is the CSR file, andca.key
is the private key file.
Step 2: Upload the certificate
Log on to the Certificate Management Service console. In the left-side navigation pane, click Certificate Application Repository.
On the Certificate Application Repository page, click Create Repository. In the Create Repository panel, set the following parameters and click OK.
Parameter
Description
Repository Name
The name of the repository. You can specify a custom name.
Data Source
Select Upload CA Certificates to upload private certificates signed and issued by third-party certificate authorities.
On the Certificate Application Repository page, click the repository that you created. On the Manage Certificates page, click Uploaded Certificates.
In the CA Information panel, set the parameters based on the following table to upload the CA certificate that you created in Step 3 and click Confirm and Enable.
Parameter
Description
Package Name
Enter a custom name for the certificate that you want to upload.
CA Certificates
Enter the content of the private certificate file or select Upload to upload a certificate file.
Click Details on the right side of the certificate and record the certificate identifier.
Step 3: Use the root CA certificate to generate a client certificate
Run the following command to generate a private key for the client certificate:
openssl genrsa -out client.key 4096
Run the following command to generate a CSR for creating a client certificate:
openssl req -new -out client.csr -key client.key
Specify the certificate information after you run the preceding commands. The following sample code block shows the parameters and sample values:
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:root Email Address []:a.alibaba.com A challenge password []:
The following table describes the parameters.
Parameter
Required
Description
Country Name
Yes
The country code, which usually consists of two letters, such as cn (China).
State or Province Name
Yes
The name of the province or autonomous region.
Locality Name
Yes
The name of the city.
Organization Name
Yes
The name of the organization, such as the company name.
Organizational Unit Name
Yes
The name of the department.
Common Name
No
A commonly used name.
Email Address
No
The email address used to contact the certificate administrator.
A challenge password
No
The password used to enhance the security of the CSR. In this example, no password is set.
Run the following commands to generate a client certificate:
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
ca.crt
andca.key
are the root CA certificate file and private key file.After the preceding operations are performed, run the
ls
command to view the generated client certificate in the current directory.client.crt client.csr client.key
client.crt
is the client certificate file signed based on the root CA certificate,client.csr
is the CSR file, andclient.key
is the client private key file.
Step 4: Enable and test mutual authentication
Enable mutual authentication for HTTPS listeners.
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Add the
caEnabled
field to the HTTPS listener and set it totrue
, and add thecaCertifates.CertificateId
field to the listener and set it to the identifier of the root CA certificate obtained in Step 2.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: #... spec: config: #... listeners: - port: 443 protocol: HTTPS caEnabled: true # Add the caEnabled field and set the value to true. caCertificates: - CertificateId: 0e40dda998174723af39d37fcaf***** # Specify the identifier of the root CA certificate obtained in Step 2. certificates: #...
Test mutual authentication.
Run the following command to view Ingress information.
kubectl get ingress
Expected output:
NAME CLASS HOSTS ADDRESS PORTS AGE https-ingress https-ingressclass demo.alb.ingress.top alb-********.alb.aliyuncs.com 80, 443 83m
Copy the values under
HOSTS
andADDRESS
for later use.Run the following command to access the service with the client certificate and private key in this topic. Replace
demo.alb.ingress.top
andalb-********.alb.aliyuncs.com
with the values obtained in the preceding step.curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com --cert client.crt --key client.key
If the following output is returned, mutual authentication is configured:
old
(Optional) Step 5: Disable mutual authentication
Run the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.
Set the caEnabled field to
false
to disable mutual authentication.apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: #... spec: config: #... listeners: - port: 443 protocol: HTTPS caEnabled: false # Set the value to false. caCertificates: - CertificateId: 0e40dda998174723af39d37fcaf***** certificates: #...
References
To enable HTTP/3 for listeners, see Use a QUIC listener to support HTTP/3.
If your web service is vulnerable to intrusions or requires higher security, you can use WAF-enabled Application Load Balancer (ALB) instances. For more information, see Use WAF-enabled ALB instances to protect applications.