All Products
Search

This Product

    Anti-DDoS:Use Anti-DDoS Proxy to deploy mutual authentication

    Document Center

    Anti-DDoS:Use Anti-DDoS Proxy to deploy mutual authentication

    Last Updated:Nov 11, 2025

    For high-security scenarios such as financial transactions, healthcare, banking, and online payments, traditional one-way authentication (which verifies only the server's identity) falls short of security requirements. By default, the server trusts all connecting clients, potentially exposing it to risks like man-in-the-middle attacks and unauthorized access. To enhance security, you can use the mutual authentication feature of Anti-DDoS Proxy. This process requires both the client and server to verify each other's identities before establishing a connection. Only after both parties are authenticated can they create a secure communication channel for data transmission. This topic explains how to configure mutual authentication.

    Introduction

    Why mutual authentication is necessary

    Most Internet web applications welcome diverse clients to access them. For these applications, only one-way HTTPS authentication is required: the client validates the server identity before interacting with the application, ensuring that it connects to a valid server.

    However, in scenarios requiring higher level of security, not only the server identity is required to be verified, the client authentication is also needed. Mutual authentication is useful in this case. It ensures that only authorized clients can access the server, reducing security risks such as man-in-the-middle attacks and unauthorized access.

    Comparison between one-way and mutual authentication

    Comparison Item

    One-way authentication

    Mutual authentication

    Involved certificate files

    Server certificate:

    • Public key certificate

    • Private key

    • Server certificate:

      • Public key certificate

      • Private key

    • Client certificate:

      • Public key certificate

      • Private key

    • Root CA certificate

    Handshaking process

    		image

    		image

    Scenarios

    For business scenarios with high security requirements, such as financial transactions, healthcare, banking, Internet of Things, and online payments, the server needs to verify the client identity in addition to client verifying the server identity.

    If there is no need for client authentication, mutual authentication is not required.

    Example

    A e-government service platform utilizing Anti-DDoS Proxy for DDoS attack defense must configure mutual authentication to prevent attackers from impersonating the government domain or using phishing websites to mislead users, potentially leading to information leakage. It also protects against malicious users employing automated tools to crawl public interfaces.

    • Server authentication: The client verifies the server certificate configured on Anti-DDoS Proxy to ensure connection to a legitimate server.

    • Client authentication: Configure the certificate authority (CA) certificate on Anti-DDoS Proxy to verify client certificates, allowing only authorized clients to access.

    image

    Step 1: Create a CA certificate and generate client certificates

    Method 1: Generate client certificates using Alibaba Cloud-issued CA certificates

    You can refer to Apply for a private certificate to apply for client certificates.

    1. Purchase and enable a private CA.

      Note

      In a private CA, a private root CA can include one or more private intermediate CAs. Only private intermediate CAs can issue private certificates, including server certificates and client certificates.

    2. Apply for client certificates using a private intermediate CA.

      1. Log on to the Certificate Management Service console, and in the left navigation pane, choose Certificate Management > PCA Certificate Management.

      2. On the Private CAs tab, find the target intermediate CA, and in the Actions column, click Apply for Certificate.

        image

      3. In the Apply for Certificate panel, complete the certificate configuration, and click Confirm.

        In this scenario, select Client Certificate for Certificate Type, and enter a unique identifier for the client user in Personal Name. You can keep the default values for other parameters or modify them based on your needs.image

        After you submit a certificate application, the private certificate is immediately issued. Then, you can click Certificates in the Actions column to view the information about the private certificate.

    3. Export the client certificate.

      1. On the Private CAs tab, find the private intermediate CA from which the required private certificate is issued and click Certificates in the Actions column.

      2. On the Certificates page, find the private certificate that you want to download and click Download in the Actions column.

      3. In the Download Certificate dialog box, configure the Certificate Format parameter and click Confirm and Download. If you turn on Include Trust Chain, the certificate that is downloaded includes the complete certificate chain. The following table describes certificate formats.

        In this scenario, select PFX for Certificate Format, which can be recognized by browsers.导出客户端证书

        As shown in the following figure, the downloaded certificate files include a client certificate file with the .pfx extension and a client private key encryption password with the .txt extension.

        安装客户端证书

    Method 2: Generate client certificates using non-Alibaba Cloud-issued CA certificates

    Self-signed root CA or self-signed intermediate CA certificates are supported for mutual authentication. This topic uses a self-signed root CA certificate as an example.

    1. Use OPENSSL to generate a self-signed root CA certificate.

      1. Use the following command to create a root CA certificate private key:

        openssl genrsa -out root.key 4096

      2. Use the following command to create a file for requesting a root CA certificate:

        openssl req -new -out root.csr -key root.key

        Set the other parameters. Example:

        Note

        Ensure that the common name in the CA certificate is different from those in the client certificate and the server certificate.

        Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your servers hostname) []:root
Email Address []:a****@example.com
A challenge password []:
An optional company name []:

      3. Use the following command to create a root CA certificate:

        openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650

        An example of the output:

        创建根CA证书

      4. Use the ls command to check the generated root CA certificate root.crt and root CA certificate private key root.key.

        Download these root CA certificate files to your local computer so that you can upload them to the Certificate Management Service later.

    2. Use the root CA certificate to generate client certificates.

      1. Use the following command to generate a client certificate key:

        openssl genrsa -out client.key 4096

      2. Use the following command to generate a file for requesting a client certificate:

        openssl req -new -out client.csr -key client.key

        Set the other parameters. Example:

        Note

        Ensure that the common name in the CA certificate is different from the those in the server certificate, the root certificate, and other client certificates.

        Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your servers hostname) []:client-alb-user
Email Address []:username@example.com
A challenge password []:
An optional company name []:

      3. Use the following command to generate a client certificate.

        openssl x509 -req -in client.csr -out client.crt -CA root.crt -CAkey root.key -CAcreateserial -days 3650

        An example of the output:

        生成客户端证书

      4. Use the following command to convert the generated client certificate client.crt to a PKCS12 file that can be recognized by browsers. Follow the prompts to enter the client private key encryption password you set.

        openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

      5. Use the ls command to check the generated client.p12 client certificate file.

        Download the client certificate file to your local computer so that you can send it to the client later.

    3. Upload the self-signed root CA certificate to Alibaba Cloud Certificate Management Service.

      1. Log on to the Certificate Management Service console.

      2. In the navigation pane on the left, choose Certificate And Domain Name Application Service > Certificate Application Repository.

      3. On the Certificate Application Repository page, click Create Repository. In the panel, set Data Source to Upload CA Certificates, and click OK.

        创建证书仓库

      4. On the Certificate Application Repository page, click the created certificate repository.

      5. On the Official Certificate page, click Uploaded Certificate. In the CA Information panel, upload the root CA certificate file root.crt, and click Confirm and Enable.

    Step 2: Add a domain to Anti-DDoS Proxy and enable mutual authentication

    1. Log on to the Website Config page in the Anti-DDoS Proxy console.

    2. In the top navigation bar, select the region of your instance.

      • Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.

      • Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.

    3. On the Website Config page, click Add Website and follow the instructions to add the domain.

      This topic only describes how to enable mutual authentication. For other configuration items, see Add a website.

      In the HTTPS protocol-related configuration area, select Mutual Authentication and select the CA certificate based on the certificate source.image

    4. After the configuration is complete, copy the CNAME address of Anti-DDoS Proxy.image

    Step 3: Configure domain name resolution

    In business scenarios, we recommend you using your own domain name and point it to the CNAME address of Anti-DDoS Proxy through CNAME resolution.

    The following example uses a domain with DNS hosted on Alibaba Cloud DNS. This is for reference only if you use domain name resolution services from other DNS service providers.

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Authoritative DNS Resolution page, find the target domain name, and click DNS Settings in the Actions column.

    3. On the DNS Settings page, find the DNS record you want to modify, and click Edit in the Actions column.

      Note

      If the DNS record you want to operate is not in the record list, you can click Add DNS Record.

      In this scenario, set Record Type to CNAME, and set Record Value to the CNAME address of Anti-DDoS Proxy. You can keep the default values for other parameters or modify them based on your needs.image

    4. Click OK and wait for the modified DNS settings to take effect.

    Step 4: Test mutual authentication

    This topic uses Chrome browser on a Windows client as an example for testing.

    1. Install the client certificate created in Step 1 on the client.

      Double-click the downloaded client certificate file and follow the system certificate import prompts to complete the client certificate installation.

    2. In the browser, enter https://<your domain name>. When the dialog box appears, select the certificate for client identity verification.

    3. Refresh the browser and verify if the client can access the domain.