If one-way authentication is configured, an HTTPS connection can be established after the server is authenticated. If mutual authentication is configured, an HTTPS connection can be established only after both the client and the server are authenticated. Mutual authentication provides higher security. You can configure mutual authentication to protect your business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of a CLB instance.
Procedure
In this example, a self-signed certificate authority (CA) certificate is used to sign the client certificate. Perform the following steps to configure mutual authentication on the HTTPS listener.
Prerequisites
OpenSSL 1.1.1 or a later version that you download from the OpenSSL official website is installed.
Two Elastic Compute Service (ECS) instances that host different application services are created. In this example, the ECS instances are named ECS01 and ECS02. For more information, see Create an instance by using the wizard.
Step 1: Purchase a server certificate
You can purchase a server certificate in the Certificate Management Service console or from another service provider. A browser authenticates the identity of a server by checking whether the certificate sent by the server is issued by a trusted CA.
In this example, a server certificate is purchased from the Certificate Management Service console. For more information, see Purchase an SSL certificate.
Make sure that you have a valid domain name to associate with the certificate.
Step 2: Generate a CA certificate by using OpenSSL
Log on to a Linux machine on which OpenSSL is installed. Open the CLI and run the following commands to create a ca folder in the /home directory and create four subfolders in the ca folder:
sudo mkdir ca cd ca sudo mkdir newcerts private conf server
The four subfolders are named newcerts, private, conf, and server.
The newcerts subfolder is used to store the digital certificate signed by the CA certificate.
The private subfolder is used to store the private key of the CA certificate.
The conf subfolder is used to store the configuration files that are used to simplify parameters.
The server subfolder is used to store the server certificate.
Run the following command in the conf directory to create an openssl.conf file that contains the following information:
[ ca ] default_ca = foo [ foo ] dir = /home/ca database = /home/ca/index.txt new_certs_dir = /home/ca/newcerts certificate = /home/ca/private/ca.crt serial = /home/ca/serial private_key = /home/ca/private/ca.key RANDFILE = /home/ca/private/.rand default_days = 365 default_crl_days= 30 default_md = md5 unique_subject = no policy = policy_any [ policy_any ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match localityName = optional commonName = supplied emailAddress = optional
Run the following commands to generate a private key:
cd /home/ca sudo openssl genrsa -out private/ca.key
The following figure shows the result.
Run the following command and enter the required information as prompted to generate a csr file:
sudo openssl req -new -key private/ca.key -out private/ca.csr
The following figure shows the result. Common Name: You must enter the domain name of your
Classic Load Balancer (CLB)
.Run the following command to generate a crt file.
sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
Run the following command to set the initial sequence number of the CA key.
The initial sequence number can contain four characters. You can replace FACE with a custom value.
sudo echo FACE > serial
Run the following command to create a CA key library:
sudo touch index.txt
Step 3: Generate a client certificate
Remotely log on to ECS01. For more information, see Guidelines on ECS instance connection.
Run the following command to create a users folder in the ca folder to store the client key:
sudo mkdir users
Perform the following steps to create a client key:
Run the following command:
sudo openssl genrsa -des3 -out /home/ca/users/client.key 1024
Enter the passphrase as prompted.
The passphrase is used to prevent unauthorized access in case of key leaks. Enter the same passphrase twice.
Run the following command to create a csr file for the client key:
sudo openssl req -new -key /home/ca/users/client.key -out /home/ca/users/client.csr
Enter the passphrase in Substep 2 of Step 3 and other required information as prompted.
NoteIn this example, the passphrase for the client certificate is
A challenge password
and the passphrase forclient.key
is test. The password for the client certificate can be the same as that of the root certificate or server certificate.The following figure shows the result.
Run the following command to use the CA key generated in Step 2: Generate a CA certificate by using OpenSSL to sign the client key.
sudo openssl ca -in /home/ca/users/client.csr -cert /home/ca/private/ca.crt -keyfile /home/ca/private/ca.key -out /home/ca/users/client.crt -config "/home/ca/conf/openssl.conf"
Enter y when you are prompted to confirm the following two operations.
The following figure shows the result.
To convert the certificate into a PKCS12 file that can be verified by most browsers, perform the following steps:
Run the following command:
sudo openssl pkcs12 -export -clcerts -in /home/ca/users/client.crt -inkey /home/ca/users/client.key -out /home/ca/users/client.p12
Enter the passphrase of the client key as prompted and press Enter.
Enter the password that is used to export the client certificate. This password is used to protect the client certificate and is required when the client certificate is installed.
The following figure shows the result.
Run the following commands to view the client certificate:
cd users ls
The following figure shows the result.
Step 4: Install the client certificate
Install the client certificate on the client.
Windows client
Open the CLI and run the following command to export the client certificate generated in Step 3: Generate a client certificate.
scp home@IPaddress:/home/ca/users/client.p12 ./ //Replace IPaddress with the IP address of the server on which the client certificate is generated.
Import the client certificate to the Internet Explorer browser.
Open the Internet Explorer browser and choose Settings Internet Options.
Click the Content tab, and then click Certificates to import the client certificate. When you import the certificate, you must enter the password that is used to generate the PKCS12 file in Step 3: Generate a client certificate.
Linux client
After you use ECS01 to generate a client certificate, the client certificate is automatically installed on ECS01. To install the client certificate for other Linux clients, perform the following steps:
Log on to a Linux client. Run the following command to copy and paste the client certificate and root certificate to a folder:
Create a folder.
sudo mkdir /home/ca
Modify permissions on the folder.
sudo chmod 700 /home/ca
Run the following commands to copy and paste the certificates to the folder:
sudo scp home@IPaddress:/home/ca/client.crt /home/ca //Replace IPaddress with the IP address of the server on which the client certificate is generated. sudo scp home@IPaddress:/home/ca/ca.crt /home/ca //Replace IPaddress with the IP address of the server on which the root certificate is generated. sudo scp home@IPaddress:/home/ca/ca.key /home/ca //Replace IPaddress with the IP address of the server on which the root certificate is generated.
Step 5: Upload the server certificate and the CA certificate
Log on to the CLB console.
In the left-side navigation pane, choose . On the Certificates page, click Create Certificate to upload the server certificate.
In the Create Certificate panel, select Third-party Certificates, set the parameters of the certificate and then click Create.
Parameter
Description
Certificate Name
Enter a name for the certificate.
The name must be 1 to 80 characters in length, and can contain only letters, digits, hyphens (-), forward slashes (/), periods (.), underscores (_), and asterisks (*).
Organization
Select the organization to which the certificate belongs.
Resource Set
Select the resource set to which the certificate belongs.
Certificate Type
In this example, Server Certificate is selected.
Public Key Certificate
The content of the server certificate. Paste the content to the editor.
Click Example to view the valid certificate formats. For more information, see Certificate requirements.
Private Key
The private key of the server certificate. Paste the private key to the editor.
Click Example to view the valid certificate formats. For more information, see Certificate requirements.
ImportantA private key is required only when you upload a server certificate.
Region
China (Hangzhou) is selected in this example.
On the Certificates page, click Create Certificate to upload the CA certificate.
In the Create Certificate panel, click Third-party Certificates, set the following parameters, and then click Create.
Parameter
Description
Certificate Name
Enter a name for the certificate.
The name must be 1 to 80 characters in length, and can contain only letters, digits, hyphens (-), forward slashes (/), periods (.), underscores (_), and asterisks (*).
Organization
Select the organization to which the certificate belongs.
Resource Set
Select the resource set to which the certificate belongs.
Certificate Type
In this example, CA Certificate is selected.
Client CA Certificate
Upload the public key certificate of the client.
Click Example to view the valid certificate formats. For more information, see Certificate requirements.
Region
China (Hangzhou) is selected in this example.
Step 6: Configure mutual authentication on an HTTPS listener
Log on to the CLB console.
On the Instances page, click Create CLB.
Set the parameters of the CLB instance, click Buy Now, and then complete the payment.
Set the instance type to Internet and region to China (Hangzhou). For more information, see Create and manage CLB instances.
Go back to the Instances page and select the China (Hangzhou) region.
Click the ID of the CLB instance that you created, or click Configure Listener in the Actions column.
On the Listener tab, click Add Listener.
On the Protocol and Listener wizard page, set the parameters of the listener and click Next.
Select Listener Protocol: HTTPS
Listening Port: 443
Scheduling Algorithm: Round Robin (RR)
On the SSL Certificates wizard page, select the uploaded server certificate.
Click Modify next to Advanced, enable mutual authentication, select the uploaded CA certificate, and then click Next.
Select Default Server Group and click Add More to add ECS instances. Set the backend port to 443.
Use the default values for other parameters and click Next. On the Confirm wizard page, click Submit.
Step 7: Test the mutual authentication feature
Use one of the following methods to test the mutual authentication feature.
Windows client
On the Instances page, view the health check status.
If Normal is displayed, the backend servers can receive requests from listeners.
Enter the IP address of the CLB instance into the address bar of the browser and verify the certificate in the message that appears.
Refresh the web page. You can find that the requests are evenly distributed to the backend servers.
Linux client
Log on to the Linux client on which the root certificate and the client certificate are installed, and run the following command to verify the mutual authentication feature:
sudo curl --cert /home/ca/client.crt --key /home/ca/client.key --cacert /home/ca/ca.crt <Domain name associated with the server certificate>
If the following echo reply packet is returned, the client and the server have completed mutual authentication and requests are distributed to the ECS instances.