All Products
Search
Document Center

Server Load Balancer:Configure mutual authentication on an HTTPS listener

Last Updated:Jun 09, 2023

If one-way authentication is configured, an HTTPS connection can be established after the server is authenticated. If mutual authentication is configured, an HTTPS connection can be established only after both the client and the server are authenticated. Mutual authentication provides higher security. You can configure mutual authentication to protect your business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of a CLB instance.

Procedure

In this example, a self-signed certificate authority (CA) certificate is used to sign the client certificate. Perform the following steps to configure mutual authentication on the HTTPS listener.

Configure mutual authentication on an HTTPS listener of a CLB instance

Prerequisites

  • OpenSSL 1.1.1 or a later version that you download from the OpenSSL official website is installed.

  • Two Elastic Compute Service (ECS) instances that host different application services are created. In this example, the ECS instances are named ECS01 and ECS02. For more information, see Create an instance by using the wizard.

Step 1: Purchase a server certificate

You can purchase a server certificate in the Certificate Management Service console or from another service provider. A browser authenticates the identity of a server by checking whether the certificate sent by the server is issued by a trusted CA.

In this example, a server certificate is purchased from the Certificate Management Service console. For more information, see Purchase an SSL certificate.

Important

Make sure that you have a valid domain name to associate with the certificate.

Step 2: Generate a CA certificate by using OpenSSL

  1. Log on to a Linux machine on which OpenSSL is installed. Open the CLI and run the following commands to create a ca folder in the /home directory and create four subfolders in the ca folder:

    sudo mkdir ca
     cd ca
     sudo mkdir newcerts private conf server

    The four subfolders are named newcerts, private, conf, and server.

    • The newcerts subfolder is used to store the digital certificate signed by the CA certificate.

    • The private subfolder is used to store the private key of the CA certificate.

    • The conf subfolder is used to store the configuration files that are used to simplify parameters.

    • The server subfolder is used to store the server certificate.

  2. Run the following command in the conf directory to create an openssl.conf file that contains the following information:

    [ ca ]
     default_ca = foo
     [ foo ] 
     dir = /home/ca
     database = /home/ca/index.txt
     new_certs_dir = /home/ca/newcerts
     certificate = /home/ca/private/ca.crt
     serial = /home/ca/serial
     private_key = /home/ca/private/ca.key
     RANDFILE = /home/ca/private/.rand
     default_days = 365
     default_crl_days= 30
     default_md = md5
     unique_subject = no
     policy = policy_any
     [ policy_any ]
     countryName = match
     stateOrProvinceName = match
     organizationName = match
     organizationalUnitName = match
     localityName = optional
     commonName = supplied
     emailAddress = optional
  3. Run the following commands to generate a private key:

    cd /home/ca   
        sudo openssl genrsa -out private/ca.key

    The following figure shows the result.p2750

  4. Run the following command and enter the required information as prompted to generate a csr file:

      sudo openssl req -new -key private/ca.key -out private/ca.csr

    The following figure shows the result. Common Name: You must enter the domain name of your

    Classic Load Balancer (CLB)

    .

    p2753
  5. Run the following command to generate a crt file.

      sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
  6. Run the following command to set the initial sequence number of the CA key.

    The initial sequence number can contain four characters. You can replace FACE with a custom value.

      sudo echo FACE > serial
  7. Run the following command to create a CA key library:

      sudo touch index.txt

Step 3: Generate a client certificate

  1. Remotely log on to ECS01. For more information, see Guidelines on ECS instance connection.

  2. Run the following command to create a users folder in the ca folder to store the client key:

      sudo mkdir users
  3. Perform the following steps to create a client key:

    1. Run the following command:

        sudo openssl genrsa -des3 -out /home/ca/users/client.key 1024
    2. Enter the passphrase as prompted.

      The passphrase is used to prevent unauthorized access in case of key leaks. Enter the same passphrase twice.

  4. Run the following command to create a csr file for the client key:

    sudo openssl req -new -key /home/ca/users/client.key -out /home/ca/users/client.csr

    Enter the passphrase in Substep 2 of Step 3 and other required information as prompted.

    Note

    In this example, the passphrase for the client certificate is A challenge password and the passphrase for client.key is test. The password for the client certificate can be the same as that of the root certificate or server certificate.

    The following figure shows the result.p2757

  5. Run the following command to use the CA key generated in Step 2: Generate a CA certificate by using OpenSSL to sign the client key.

    sudo openssl ca -in /home/ca/users/client.csr -cert /home/ca/private/ca.crt -keyfile /home/ca/private/ca.key -out /home/ca/users/client.crt -config "/home/ca/conf/openssl.conf"

    Enter y when you are prompted to confirm the following two operations.

    The following figure shows the result.2758

  6. To convert the certificate into a PKCS12 file that can be verified by most browsers, perform the following steps:

    1. Run the following command:

      sudo openssl pkcs12 -export -clcerts -in /home/ca/users/client.crt -inkey /home/ca/users/client.key -out /home/ca/users/client.p12
    2. Enter the passphrase of the client key as prompted and press Enter.

    3. Enter the password that is used to export the client certificate. This password is used to protect the client certificate and is required when the client certificate is installed.

      The following figure shows the result.2759

  7. Run the following commands to view the client certificate:

    cd users
     ls

    The following figure shows the result.2760

Step 4: Install the client certificate

Install the client certificate on the client.

Windows client

  1. Open the CLI and run the following command to export the client certificate generated in Step 3: Generate a client certificate.

    scp home@IPaddress:/home/ca/users/client.p12 ./          //Replace IPaddress with the IP address of the server on which the client certificate is generated.
  2. Import the client certificate to the Internet Explorer browser.

    1. Open the Internet Explorer browser and choose Settings Internet Options.

    2. Click the Content tab, and then click Certificates to import the client certificate. When you import the certificate, you must enter the password that is used to generate the PKCS12 file in Step 3: Generate a client certificate.

Linux client

After you use ECS01 to generate a client certificate, the client certificate is automatically installed on ECS01. To install the client certificate for other Linux clients, perform the following steps:

  1. Log on to a Linux client. Run the following command to copy and paste the client certificate and root certificate to a folder:

    1. Create a folder.

      sudo mkdir /home/ca
    2. Modify permissions on the folder.

      sudo chmod 700 /home/ca
    3. Run the following commands to copy and paste the certificates to the folder:

      sudo scp home@IPaddress:/home/ca/client.crt /home/ca    //Replace IPaddress with the IP address of the server on which the client certificate is generated.
      sudo scp home@IPaddress:/home/ca/ca.crt /home/ca        //Replace IPaddress with the IP address of the server on which the root certificate is generated.
      sudo scp home@IPaddress:/home/ca/ca.key /home/ca        //Replace IPaddress with the IP address of the server on which the root certificate is generated.

Step 5: Upload the server certificate and the CA certificate

  1. Log on to the CLB console.

  2. In the left-side navigation pane, choose CLB (FKA SLB) > Certificates. On the Certificates page, click Create Certificate to upload the server certificate.

  3. In the Create Certificate panel, select Third-party Certificates, set the parameters of the certificate and then click Create.

    Parameter

    Description

    Certificate Name

    Enter a name for the certificate.

    The name must be 1 to 80 characters in length, and can contain only letters, digits, hyphens (-), forward slashes (/), periods (.), underscores (_), and asterisks (*).

    Organization

    Select the organization to which the certificate belongs.

    Resource Set

    Select the resource set to which the certificate belongs.

    Certificate Type

    In this example, Server Certificate is selected.

    Public Key Certificate

    The content of the server certificate. Paste the content to the editor.

    Click Example to view the valid certificate formats. For more information, see Certificate requirements.

    Private Key

    The private key of the server certificate. Paste the private key to the editor.

    Click Example to view the valid certificate formats. For more information, see Certificate requirements.

    Important

    A private key is required only when you upload a server certificate.

    Region

    China (Hangzhou) is selected in this example.

  4. On the Certificates page, click Create Certificate to upload the CA certificate.

  5. In the Create Certificate panel, click Third-party Certificates, set the following parameters, and then click Create.

    Parameter

    Description

    Certificate Name

    Enter a name for the certificate.

    The name must be 1 to 80 characters in length, and can contain only letters, digits, hyphens (-), forward slashes (/), periods (.), underscores (_), and asterisks (*).

    Organization

    Select the organization to which the certificate belongs.

    Resource Set

    Select the resource set to which the certificate belongs.

    Certificate Type

    In this example, CA Certificate is selected.

    Client CA Certificate

    Upload the public key certificate of the client.

    Click Example to view the valid certificate formats. For more information, see Certificate requirements.

    Region

    China (Hangzhou) is selected in this example.

Step 6: Configure mutual authentication on an HTTPS listener

  1. Log on to the CLB console.

  2. On the Instances page, click Create CLB.

  3. Set the parameters of the CLB instance, click Buy Now, and then complete the payment.

    Set the instance type to Internet and region to China (Hangzhou). For more information, see Create and manage CLB instances.

  4. Go back to the Instances page and select the China (Hangzhou) region.

  5. Click the ID of the CLB instance that you created, or click Configure Listener in the Actions column.

  6. On the Listener tab, click Add Listener.

  7. On the Protocol and Listener wizard page, set the parameters of the listener and click Next.

    • Select Listener Protocol: HTTPS

    • Listening Port: 443

    • Scheduling Algorithm: Round Robin (RR)

  8. On the SSL Certificates wizard page, select the uploaded server certificate.

  9. Click Modify next to Advanced, enable mutual authentication, select the uploaded CA certificate, and then click Next.

  10. Select Default Server Group and click Add More to add ECS instances. Set the backend port to 443.

  11. Use the default values for other parameters and click Next. On the Confirm wizard page, click Submit.

Step 7: Test the mutual authentication feature

Use one of the following methods to test the mutual authentication feature.

Windows client

  1. On the Instances page, view the health check status.

    If Normal is displayed, the backend servers can receive requests from listeners.

  2. Enter the IP address of the CLB instance into the address bar of the browser and verify the certificate in the message that appears.

  3. Refresh the web page. You can find that the requests are evenly distributed to the backend servers.

    ECS01ECS02

Linux client

Log on to the Linux client on which the root certificate and the client certificate are installed, and run the following command to verify the mutual authentication feature:

sudo curl --cert /home/ca/client.crt --key /home/ca/client.key --cacert /home/ca/ca.crt <Domain name associated with the server certificate>

If the following echo reply packet is returned, the client and the server have completed mutual authentication and requests are distributed to the ECS instances.Verification 1