Right now I have a server which should only be accessible by clients who have a particular valid certificate installed in their browser. This is called two-way SSL and it's a way to authenticate clients. I was wondering if it is possible to implement this in AWS Certificate Manager?
I'm asking this because when I do this manually, I have to generate client certificates on my machine individually using the CA's certificate and key. But when I use AWS Certificate Manager I don't think the key is accessible for me to generate the client certificates. Is that right? Does that mean that I can not use AWS Certificate Manager if I want to implement two-way SSL?
Currently you cannot use AWS ACM issued certificates as client certificates since it only allows to associate with following AWS services.
AWS API Gateway
AWS CloudFront
AWS ELB/ALB
Related
I am very new to this and struggling to understand AWS.
I had a single domain foo.mydomain.com. This was registered in Route53. And there was a certificate in AWS Certificate Manager that mapped to it.
Now I have two domains foo.mydomain.com & bar.mydomain.com. I have registered the latter in Route53. And I have requrested and received a new certificate from AWS Certificate Manager. This one maps to both domains (via the "additional names" property).
How can I simply disable the old certificate and enable the new certificate?
I want the values for In use? above to be swapped.
You need to go to the services where you are utilizing these certificates (Load Balancers, CloudFront distributions or API Gateways) and change the certificate they are using there.
AWS Certificate Manager manages the SSL/TLS certificates. In general certificates are configured and consumed on the services like ALB (application load balancer), API Gateway, Virtual Machine, Cloudfront etc. If you would like to update the certificate, modify the configuration on one of the above services as applicable in your case. While changing configuration you have to choose the right certificate from ACM. Once update is successful you will see the status in ACM.
Here is an AWS documentation explains how to install/Update SSL Certificates:
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-certificates.html
We'd like to use ACM to manage our certificates, allowing us to easily create them on the fly for a third-party (using CNAME validation). This works great, except we can't appear to get the private key we'd need to support the certificate via our frontend server, which is hosted by AWS but otherwise managed independently of any other AWS service. (It's essentially an Express server running on an EC2 instance.)
Is it possible to get the key value(s) out of ACM so that we can bootstrap a Node https server using them? Or does Amazon not support this at all?
The private key for an ACM certificate is maintained entirely within the service. There is no support for exporting the private key.
ACM certificates can only be used on specific AWS services. For more information see ACM FAQ and Supported services.
Everytime I searched for Mutual Auth over SSL for AWS API Gateway I can only find MTLS between AWS API Gateway and Backend Services. But I'm looking to secure my AWS API Gateway endpoints itself with MTLS (client auth).
For instance, I have a backed service QueryCustomer which I have proxied through AWS API Gateway. Now I can put an SSL Cert on API Gateway but it's usual 1-way SSL. What I want to achieve is to have an MTLS with client auth where the consumer of APIs from AWS API Gateway first have to exchange their public certificates which we configure on the AWS truststores and AWS public certificates will be stored on API consumer end as well.
Now during the handshake as with other API Gateways and application servers should there be a property which says something like this AWS API Gateway endpoint 'requires client auth' so that only if API consumer's public cert is in API Gateway truststore should be authenticated to access the endpoint, otherwise just throw normal SSL handshake error.
Can someone advise if this is achievable on AWS API Gateway?
This is not currently available from API Gateway, but we have had requests from multiple customers for this feature. Unfortunately, I can't comment on ETA or availability.
23 September 2020
AWS now supports mutual TLS
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html
Also we can now disable the execute-api-endpoint.
aws apigatewayv2 update-api \
--api-id abcdef123 \
--disable-execute-api-endpoint
To use mutual TLS, create a truststore of X.509 certificates that you trust to access your API. The certificates can be from public or private certificate authorities. Certificates can have a maximum chain length of four. You can also provide self-signed certificates. The following are supported:
SHA-256 or stronger
RSA-2048 or stronger
ECDSA-256 or stronger
API Gateway validates a number of certificate properties. You can use Lambda authorizers to perform additional checks when a client invokes an API, including checking if a certificate has been revoked. API Gateway validates the following certificate properties:
Validation Description
X.509 syntax
The certificate must meet X.509 syntax requirements.
Integrity
The certificate's content must not have been altered from that signed by the certificate authority from the truststore.
Validity
The certificate's validity period must be current.
Name chaining / key chaining
The names and subjects of certificates must form an unbroken chain. Certificates can have a maximum chain length of four.
I have deployed node js app to ec2 instance of single instance type through elasticbeanstalk. After this I deployed my app through amazon api gateway. My EC2 instance is public. I want to restrict it in such a way that it only accepts request from amazon api gateway.
To do this I am following this https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
I generated a client side certificate through api gateway but I don't know how to use or install this certificate on EC2 instance so that EC2 instance accepts requests only from aws api gateway. I am using Node js server in my application.
Please help.
The API Gateway client certificate feature does not use ACM certificates.
For client certificates, API Gateway generates its own, self-signed certificates and makes the PEM-encoded public key of the client certificate available to you for configuring you web server. API Gateway keeps the certificate's private key and uses it when making requests to your web server. By design, there is no way to export the private key from API Gateway so you can be certain that the caller is API Gateway as no one else can get the private key.
To get the PEM-encoded public key of the client certificate, call get-client-certificate as documented here
Note that you must also configure you web server with a server certificate signed by a certificate authority which API Gateway trusts. Don't confuse this with the certificate used for a custom domain name. Those are used for TLS termination of incoming requests to your API. The server certificate I'm talking about for this use case is just used on your backend web server so API Gateway can call it via TLS.
It is recommended that you obtain, deploy, configure, and test with your server certificate before you enable the client certificate in API Gateway. Once, you have your server certificate working with API Gateway, then enable the client side certificate and modify your web server to require it.
This article describes how to configure both server side and client side certificates with Node.js.
I'm hosting my app via firebase at www.example.com
I have several AWS Lambda functions with AWS API Gateway endpoints. According to the docs, to call my lambda functions via a subdomain on my example.com domain, I need a "PEM-encoded SSL certificate".
I'm assuming I shouldn't/don't have to create a new SSL certificate for this purpose, but I'm unclear how to proceed.
Can I obtain the required fields (certificate body, certificate chain, & private key) for my Firebase hosting SSL cert?
You cannot. Firebase Hosting provisions an SSL certificate on your behalf, but the private key used to generate that certificate belongs solely to Firebase and cannot be shared or downloaded. To get an SSL certificate for other services, you will need to purchase one or generate one through Let's Encrypt.