Configure HTTPS mutual authentication on ALB Ingresses - Container Service for Kubernetes

HTTPS mutual authentication (mutual TLS, or mTLS) requires both the server and the client to verify each other's identity before establishing a secure channel. Unlike one-way HTTPS, where only the client verifies the server, mTLS also requires the client to present a valid SSL or TLS certificate signed by a trusted certificate authority (CA). This makes mTLS suitable for finance, IoT, enterprise internal services, and public services — scenarios where you need to restrict access to known, trusted clients and prevent man-in-the-middle attacks.

How it works

	HTTPS one-way authentication	HTTPS mutual authentication
Client verifies server	Yes	Yes
Server verifies client	No	Yes
Client holds	—	SSL or TLS certificate signed by root CA
Server holds	Server certificate	Root CA certificate

In mutual authentication, the server holds a root CA certificate. The client holds an SSL or TLS certificate signed by that root CA. Both sides verify each other before the connection is established.

Prerequisites

Before you begin, ensure that you have:

An SSL or TLS certificate configured on the ALB listener. For setup instructions, see Configure certificates for encrypted communication over HTTPS.
A root CA certificate. Get one by either:
- Purchasing a private CA in the Certificate Management Service console — see Purchase and enable a private CA
- Generating a self-signed CA certificate using the steps in (Optional) Step 1: Generate a self-signed CA certificate

(Optional) Step 1: Generate a self-signed CA certificate

Skip this step if you already have a root CA certificate.

Generate a private key:
```
openssl genrsa -out ca.key 4096
```

Create a certificate signing request (CSR):

Field	Required	Description
Country Name	Yes	Two-letter country code, for example, `cn`
State or Province Name	Yes	Province or autonomous region name
Locality Name	Yes	City name
Organization Name	Yes	Company or organization name
Organizational Unit Name	Yes	Department name
Common Name	No	A commonly used name
Email Address	No	Email address of the certificate administrator
A challenge password	No	Optional CSR security password. Leave blank if not needed

openssl req -new -out ca.csr -key ca.key

OpenSSL prompts you to fill in the following fields:

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your servers hostname) []:root
Email Address []:example@ali
A challenge password []:

Create the root CA certificate with a validity of 3,650 days:

File	Description
`ca.crt`	Root CA certificate
`ca.csr`	CSR file
`ca.key`	Private key

openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650

Run ls to confirm the output files:

ca.crt  ca.csr  ca.key

Step 2: Upload the CA certificate

Upload the root CA certificate to Certificate Management Service to get a certificate identifier for use in the AlbConfig.

Log on to the Certificate Management Service console. In the top navigation bar, select Outside Chinese Mainland from the region drop-down list. In the left navigation pane, click Certificate Application Repository.

On the Certificate Application Repository page, click Create Repository. In the Create Repository panel, set the following parameters and click OK.

Parameter	Description
Repository Name	A custom name for the repository
Data Source	Select Upload CA Certificates to upload certificates signed by third-party CAs

Click the repository you created. On the repository page, click Uploaded Certificates.

In the CA Information panel, fill in the following fields and click Confirm and Enable.

Parameter	Description
Package Name	A custom name for the certificate
CA Certificates	Paste the certificate content, or click Upload and Parse File to upload a certificate file

Click Details on the right side of the uploaded certificate row and record the certificate identifier. You will need it in Step 4.

Step 3: Generate a client certificate

Use the root CA certificate to sign a client certificate.

Generate a private key for the client:
```
openssl genrsa -out client.key 4096
```
Create a CSR for the client certificate:
```
openssl req -new -out client.csr -key client.key
```
Fill in the same fields as in Step 1. The values can differ from those in the CA certificate.

Sign the client certificate using the root CA:

File	Description
`client.crt`	Client certificate signed by the root CA
`client.csr`	CSR file
`client.key`	Client private key

openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

ca.crt and ca.key are the root CA certificate and private key generated in Step 1. Run ls to confirm the output files:

client.crt  client.csr  client.key

Step 4: Enable and test mutual authentication

Enable mutual authentication

Open the AlbConfig for editing:
```
kubectl edit albconfig <ALBCONFIG_NAME>
```
Replace <ALBCONFIG_NAME> with the name of your AlbConfig.

In the HTTPS listener configuration (port 443), add caEnabled: true and set caCertificates.CertificateId to the certificate identifier recorded in Step 2:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    caEnabled: true                                        # Enable mutual authentication
    caCertificates:
    - CertificateId: 0e40dda998174723af39d37fcaf*****     # Certificate identifier from Step 2
    certificates:
      #...

Test mutual authentication

Get the Ingress hostname and address:

kubectl get ingress

Expected output:

NAME            CLASS                HOSTS                  ADDRESS                         PORTS     AGE
https-ingress   https-ingressclass   demo.alb.ingress.top   alb-********.alb.aliyuncs.com   80, 443   83m

Record the values in the HOSTS and ADDRESS columns.

Test that a request with a valid client certificate succeeds. Replace demo.alb.ingress.top and alb-********.alb.aliyuncs.com with the values from the previous step:
```
curl -H HOST:demo.alb.ingress.top -k https://alb-********.alb.aliyuncs.com --cert client.crt --key client.key
```
Expected output:
```
old
```

(Optional) Step 5: Disable mutual authentication

Open the AlbConfig for editing:
```
kubectl edit albconfig <ALBCONFIG_NAME>
```

Set caEnabled to false:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: #...
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    caEnabled: false                                       # Disable mutual authentication
    caCertificates:
    - CertificateId: 0e40dda998174723af39d37fcaf*****
    certificates:
      #...

What's next

To enable HTTP/3 on your listeners, see Use a QUIC listener to support HTTP/3.
To add WAF protection to your ALB instance, see Use WAF-enabled ALB instances to protect applications.