Help Center> Elastic Load Balance> User Guide (ME-Abu Dhabi Region)> Listener> Advanced Settings for HTTP or HTTPS Listeners> Mutual Authentication
Updated on 2022-01-25 GMT+08:00
View PDF

Mutual Authentication

Scenarios

In common HTTPS service scenarios, only the server certificate is required for authentication. For some mission-critical services, such as bank payment, the identities of both communication parties need to be authenticated, for which mutual authentication is required to ensure service security.

In this case, you need to deploy both the server certificate and client certificate.

Self-signed certificates are used here to describe how to configure mutual authentication. Self-signed certificates do not provide all of the security properties that certificates signed by a CA aim to provide. You are advised to purchase certificates from other authorities.

Create a CA Certificate Using OpenSSL

  1. Log in to a Linux server with OpenSSL installed.
  2. Create the server directory and enter the directory:

    mkdir ca

    cd ca

  3. Create the certificate configuration file ca_cert.conf. The file content is as follows:
    [ req ]
distinguished_name     = req_distinguished_name
prompt                 = no
 
[ req_distinguished_name ]
 O                      = ELB
  4. Create the CA certificate private key ca.key.

    openssl genrsa -out ca.key 2048

    Figure 1 Private key of the CA certificate
  5. Create the certificate signing request (CSR) file ca.csr for the CA certificate.

    openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf

  6. Create the self-signed CA certificate ca.crt.

    openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key

    Figure 2 Creating a self-signed CA certificate

Issue a Server Certificate Using the CA Certificate

The server certificate can be a CA signed certificate or a self-signed one. The following steps use a self-signed certificate as an example to describe how to create a server certificate.

  1. Log in to the server where the CA certificate is generated.
  2. Create a directory at the same level as the directory of the CA certificate and enter the directory.

    mkdir server

    cd server

  3. Create the certificate configuration file server_cert.conf. The file content is as follows:
    [ req ]
distinguished_name     = req_distinguished_name
prompt                 = no
 
[ req_distinguished_name ]
 O                      = ELB
 CN                     = www.test.com

    Set the CN field to the domain name or IP address of the Linux server.

  4. Create the server certificate private key server.key.

    openssl genrsa -out server.key 2048

  5. Create the CSR file server.csr for the server certificate.

    openssl req -out server.csr -key server.key -new -config ./server_cert.conf

  6. Use the CA certificate to issue the server certificate server.crt.

    openssl x509 -req -in server.csr -out server.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key

    Figure 3 Issuing a server certificate

Issue a Client Certificate Using the CA Certificate

  1. Log in to the server where the CA certificate is generated.
  2. Create a directory at the same level as the directory of the CA certificate and enter the directory.

    mkdir client

    cd client

  3. Create the certificate configuration file client_cert.conf. The file content is as follows:
    [ req ]
distinguished_name     = req_distinguished_name
prompt                 = no
 
[ req_distinguished_name ]
 O                      = ELB
 CN                     = www.test.com

    Set the CN field to the domain name or IP address of the Linux server.

  4. Create the client certificate private key client.key.

    openssl genrsa -out client.key 2048

    Figure 4 Creating a client certificate private key
  5. Create the CSR file client.csr for the client certificate.

    openssl req -out client.csr -key client.key -new -config ./client_cert.conf

    Figure 5 Creating a client certificate CSR file
  6. Use the CA certificate to issue the client certificate client.crt.

    openssl x509 -req -in client.csr -out client.crt -sha1 -CAcreateserial -days 5000 -CA ../ca/ca.crt -CAkey ../ca/ca.key

    Figure 6 Issuing a client certificate
  7. Convert the client certificate to a .p12 file that can be identified by the browser.

    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

    A password is required during command execution. Save this password, which is required when the certificate is imported to the browser.

Configure the Server Certificate and Private Key

  1. Log in to the management console.
  2. In the navigation pane on the left, choose Certificates.
  3. In the navigation pane on the left, choose Certificates. On the displayed page, click Create Certificate. In the Create Certificate dialog box, select Server certificate, copy the content of server certificate server.crt to the Certificate Content area and the content of private key file server.key to the Private Key area, and click OK.

    Delete the last newline character to avoid an error when you copy the content.

    The content of the certificate and private key must be PEM-encoded.

Configure the CA Certificate

  1. Log in to the management console.
  2. In the navigation pane on the left, choose Certificates.
  3. Click Create Certificate. In the Create Certificate dialog box, select CA certificate, copy the content of CA certificate ca.crt created in Issue a Server Certificate Using the CA Certificate to the Certificate Content area, and click OK.

    Delete the last newline character to avoid an error when you copy the content.

    The certificate content must be PEM-encoded.

Configure Mutual Authentication

  1. Log in to the management console.
  2. Locate the target load balancer and click its name. Under Listeners, click Add Listener. Select HTTPS for Frontend Protocol, enable Mutual Authentication, and select the server certificate and CA certificate.

Add Backend Servers

For detailed operations, see Add Backend Servers.

Import and Test the Client Certificate

Method 1: Using a Browser

  1. Import the client certificate using a browser (Internet Explorer 11 is used as an example).
    1. Export client.p12 from the Linux server.
    2. Open the browser, choose Settings > Internet Options and click Content.
    3. Click Certificates and then Import to import the client.p12 certificate.
      Figure 7 Importing the client.p12 certificate
  2. Verify the import.
    Enter the access address in the browser address box. A window is displayed asking you to select the certificate. Select the client certificate and click OK. If the website can be accessed, the certificate is successfully imported.
    Figure 8 Accessing the website

Method 2: Using cURL

  1. Import the client certificate.

    Copy client certificate client.crt and private key client.key to a new directory, for example, /home/client_cert.

  2. Verify the import.
    On the Shell screen, run the following command: 
    curl -k --cert /home/client_cert/client.crt --key /home/client_cert/client.key https://XXX.XXX.XXX.XXX:XXX/ -I

    Ensure that the certificate address, private key address, IP address and listening port of the load balancer are correct. Replace https://XXX.XXX.XXX.XXX:XXX with the actual IP address and port number. If the expected response code is returned, the certificate is successfully imported.

    Figure 9 Example of a correct response code