Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Elastic Load Balance/ Best Practices/ Configuring HTTPS Mutual Authentication to Improve Service Security

Configuring HTTPS Mutual Authentication to Improve Service Security

Updated on 2024-07-11 GMT+08:00

Scenarios

In common HTTPS service scenarios, only the server certificate is required for authentication. For some mission-critical services, you need to deploy both the server certificate and the client certificate for mutual authentication.

Self-signed certificates are used as an example to describe how to configure mutual authentication. Self-signed certificates do not provide all the security properties provided by certificates signed by a CA. It is recommended that you purchase certificates from SSL Certificate Manager (SCM) or CAs.

Procedure

Figure 1 Procedure for configuring mutual authentication

Step 1: Add a CA Certificate Using OpenSSL

  1. Log in to a Linux server with OpenSSL installed.
  2. Create the server directory and switch to the directory:

    mkdir ca

    cd ca

  3. Create the certificate configuration file ca_cert.conf. The file content is as follows:
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
     
    [ req_distinguished_name ]
     O                      = ELB
  4. Create the CA certificate private key ca.key.

    openssl genrsa -out ca.key 2048

    Figure 2 Private key of the CA certificate
  5. Create the certificate signing request (CSR) file ca.csr for the CA certificate.

    openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf

  6. Create the self-signed CA certificate ca.crt.

    openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key

    Figure 3 Creating a self-signed CA certificate

Step 2: Issue a Server Certificate Using the CA Certificate

The server certificate can be a CA signed certificate or a self-signed one. In the following steps, a self-signed certificate is used as an example to describe how to create a server certificate.

  1. Log in to the server where the CA certificate is generated.
  2. Create a directory at the same level as the directory of the CA certificate and switch to the directory.

    mkdir server

    cd server

  3. Create the certificate configuration file server_cert.conf. The file content is as follows:
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
     
    [ req_distinguished_name ]
     O                      = ELB
     CN                     = www.test.com
    NOTE:

    Set the CN field to the domain name or IP address of the Linux server.

  4. Create the server certificate private key server.key.

    openssl genrsa -out server.key 2048

  5. Create the CSR file server.csr for the server certificate.

    openssl req -out server.csr -key server.key -new -config ./server_cert.conf

  6. Use the CA certificate to issue the server certificate server.crt.

    openssl x509 -req -in server.csr -out server.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key

    Figure 4 Issuing a server certificate

Step 3: Issue a Client Certificate Using the CA Certificate

  1. Log in to the server where the CA certificate is generated.
  2. Create a directory at the same level as the directory of the CA certificate and switch to the directory.

    mkdir client

    cd client

  3. Create the certificate configuration file client_cert.conf. The file content is as follows:
    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
     
    [ req_distinguished_name ]
     O                      = ELB
     CN                     = www.test.com
    NOTE:

    Set the CN field to the domain name or IP address of the Linux server.

  4. Create the client certificate private key client.key.

    openssl genrsa -out client.key 2048

    Figure 5 Creating a client certificate private key
  5. Create the CSR file client.csr for the client certificate.

    openssl req -out client.csr -key client.key -new -config ./client_cert.conf

    Figure 6 Creating a client certificate CSR file
  6. Use the CA certificate to issue the client certificate client.crt.

    openssl x509 -req -in client.csr -out client.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key

    Figure 7 Issuing a client certificate
  7. Convert the client certificate to a .p12 file that can be identified by the browser.

    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

    NOTE:

    A password is required during command execution. Save this password, which will be required when you import the certificate using the browser.

Step 4: Upload the Server Certificate to ELB

  1. Log in to the load balancer management console.
  2. In the navigation pane on the left, choose Certificates.
  3. In the navigation pane on the left, choose Certificates. On the displayed page, click Add Certificate. In the Add Certificate dialog box, select Server certificate, copy the content of server certificate server.crt to the Certificate Content area and the content of private key file server.key to the Private Key area, and click OK.
    NOTE:

    Delete the last newline character before you copy the content.

    NOTE:

    The certificate and private key must be PEM-encoded.

Step 5: Upload the CA Certificate to ELB

  1. Log in to the load balancer management console.
  2. In the navigation pane on the left, choose Certificates.
  3. Click Add Certificate. In the Add Certificate dialog box, select CA certificate, copy the content of CA certificate ca.crt created in Step 1: Add a CA Certificate Using OpenSSL to the Certificate Content area, and click OK.

    NOTE:

    Delete the last newline character before you copy the content.

    Figure 8 Adding a CA certificate
    NOTE:

    The certificate must be PEM-encoded.

Step 6: Configure HTTPS Mutual Authentication

  1. Log in to the load balancer management console.
  2. Locate the target load balancer and click its name. Under Listeners, click Add Listener. Select HTTPS for Frontend Protocol and Mutual authentication for SSL Authentication, and select the CA certificate and server certificate you have added.
    Figure 9 Configuring mutual authentication

Step 7: Import the Client Certificate and Verify Mutual Authentication

Method 1: Using a browser

  1. Import the client certificate using a browser (Internet Explorer 11 is used as an example).
    1. Export client.p12 from the Linux server.
    2. Open the browser, choose Settings > Internet Options and click Content.
    3. Click Certificates and then Import to import the client.p12 certificate.
      Figure 10 Importing the client.p12 certificate
  2. Verify the import.
    Enter the access address in the address box of your browser. A window is displayed asking you to select the certificate. Select the client certificate and click OK. If the website can be accessed, the certificate is successfully imported.
    Figure 11 Accessing the website

Method 2: Using cURL

  1. Import the client certificate.

    Copy client certificate client.crt and private key client.key to a new directory, for example, /home/client_cert.

  2. Verify the import.
    On the Shell screen, run the following command:
    curl -k --cert /home/client_cert/client.crt --key /home/client_cert/client.key https://XXX.XXX.XXX.XXX:XXX/ -I

    Ensure that the certificate address, private key address, IP address and listening port of the load balancer are correct. Replace https://XXX.XXX.XXX.XXX:XXX with the actual IP address and port number. If the expected response code is returned, the certificate is successfully imported.

    Figure 12 Example of a correct response code

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback