In financial transactions, healthcare, banking, Internet of Things (IoT), and online payment scenarios, standard one-way HTTPS authentication leaves the server exposed to man-in-the-middle attacks and unauthorized access, because the server trusts all connecting clients by default. Mutual authentication closes this gap by requiring both parties to verify each other before a connection is established. This topic explains how to configure mutual authentication on Anti-DDoS Proxy.
How it works
With one-way authentication, the client verifies the server certificate, but the server trusts all connecting clients. With mutual authentication, the server also verifies the client certificate. Only clients presenting a valid certificate issued by a trusted CA can establish a connection.
One-way vs. mutual authentication
| Comparison item | One-way authentication | Mutual authentication |
|---|---|---|
| Certificate files involved | Server certificate: public key certificate + private key | Server certificate: public key certificate + private key; Client certificate: public key certificate + private key; Root CA certificate |
| Handshaking process |  |  |
Use case
An e-government service platform running behind Anti-DDoS Proxy needs to prevent attackers from impersonating the government domain, setting up phishing sites, or using automated tools to scrape public interfaces. Mutual authentication addresses all three threats:
Server authentication: Clients verify the server certificate on Anti-DDoS Proxy, confirming they are connected to a legitimate server.
Client authentication: Anti-DDoS Proxy verifies client certificates against the uploaded CA certificate, allowing only authorized clients to connect.
Prerequisites
Before you begin, make sure you have:
An Anti-DDoS Proxy instance with HTTPS forwarding configured
A domain name pointing to the Anti-DDoS Proxy instance (or DNS access to configure CNAME records)
Access to the Certificate Management Service console
Step 1: Create a CA certificate and generate client certificates
Choose a CA source based on your situation:
| Option | When to use |
|---|---|
| Method 1: Alibaba Cloud-issued CA certificates | Use this if you want Alibaba Cloud to manage your private CA infrastructure. Simpler to set up and integrates directly with Certificate Management Service. |
| Method 2: Self-signed CA certificates (OpenSSL) | Use this if you already have an existing PKI or need to use your own CA. |
Method 1: Generate client certificates using Alibaba Cloud-issued CA certificates
For full details, see Apply for a private certificate.
Purchase and enable a private CA.
A private root CA can include one or more private intermediate CAs. Only private intermediate CAs can issue private certificates, including server certificates and client certificates.
Apply for client certificates using a private intermediate CA.
Log on to the Certificate Management Service console. In the left navigation pane, choose Certificate Management > PCA Certificate Management.
On the Private CAs tab, find the target intermediate CA, and click Apply for Certificate in the Actions column.
In the Apply for Certificate panel, set Certificate Type to Client Certificate and enter a unique identifier for the client user in Personal Name. Keep the default values for other parameters or modify them as needed, then click Confirm.
The certificate is issued immediately after submission. Click Certificates in the Actions column to view the certificate details.
Export the client certificate.
On the Private CAs tab, find the private intermediate CA and click Certificates in the Actions column.
On the Certificates page, find the certificate and click Download in the Actions column.
In the Download Certificate dialog box, set Certificate Format to PFX (recognized by browsers). To include the complete certificate chain, turn on Include Trust Chain. Click Confirm and Download.
The downloaded package contains a .pfxclient certificate file and a.txtfile with the client private key encryption password.
Method 2: Generate client certificates using self-signed CA certificates
Both self-signed root CA and self-signed intermediate CA certificates are supported. This example uses a self-signed root CA certificate.
The common name (CN) in the CA certificate must be different from those in the client certificate and the server certificate. Additionally, each client certificate must have a CN that is unique — different from the server certificate, the root CA certificate, and all other client certificates. Duplicate CNs cause certificate validation failures.
Step 2a: Generate a self-signed root CA certificate
Generate a root CA private key:
openssl genrsa -out root.key 4096Create a certificate signing request (CSR) for the root CA:
openssl req -new -out root.csr -key root.keyWhen prompted, enter the certificate fields. Example:
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:root Email Address []:a****@example.com A challenge password []: An optional company name []:Generate the root CA certificate:
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650Example output:
Verify the generated files:
lsConfirm that
root.crt(root CA certificate) androot.key(root CA private key) are present. Download these files to your local computer — you will upload them to Certificate Management Service in a later step.
Step 2b: Generate client certificates from the root CA
Generate a client private key:
openssl genrsa -out client.key 4096Create a CSR for the client certificate:
openssl req -new -out client.csr -key client.keyWhen prompted, enter the certificate fields. The CN must be unique — different from the root CA, the server certificate, and any other client certificates:
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:client-alb-user Email Address []:username@example.com A challenge password []: An optional company name []:Sign the client certificate using the root CA:
openssl x509 -req -in client.csr -out client.crt -CA root.crt -CAkey root.key -CAcreateserial -days 3650Example output:
Convert the client certificate to PKCS12 format (
.p12) so browsers can recognize it. Enter the client private key encryption password when prompted:openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12Verify the output:
lsConfirm that
client.p12is present. Download the file to your local computer to distribute to clients later.
Step 2c: Upload the self-signed root CA certificate to Certificate Management Service
Log on to the Certificate Management Service console.
In the left navigation pane, choose Certificate And Domain Name Application Service > Certificate Application Repository.
On the Certificate Application Repository page, click Create Repository. In the panel, set Data Source to Upload CA Certificates and click OK.
Click the newly created certificate repository.
On the Official Certificate page, click Uploaded Certificate. In the CA Information panel, upload
root.crtand click Confirm and Enable.
Step 2: Add a domain to Anti-DDoS Proxy and enable mutual authentication
Log on to the Website Config page in the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance:
Anti-DDoS Proxy (Chinese Mainland): Select Chinese Mainland.
Anti-DDoS Proxy (Outside Chinese Mainland): Select Outside Chinese Mainland.
Click Add Website and follow the instructions to add the domain. In the HTTPS protocol-related configuration area, select Mutual Authentication and choose the CA certificate based on your certificate source.
This topic covers only the mutual authentication configuration. For all other settings, see Add a website.
After configuration is complete, copy the CNAME address of Anti-DDoS Proxy.
Step 3: Configure domain name resolution
Point your domain to Anti-DDoS Proxy by creating a CNAME record. The following example uses Alibaba Cloud DNS. The steps are similar for other DNS providers.
Log on to the Alibaba Cloud DNS console.
On the Authoritative DNS Resolution page, find your domain and click DNS Settings in the Actions column.
On the DNS Settings page, find the DNS record to modify and click Edit in the Actions column. Set Record Type to CNAME and Record Value to the CNAME address of Anti-DDoS Proxy. Keep the default values for other parameters or adjust them as needed.
If the record is not listed, click Add DNS Record to create one.
Click OK and wait for the DNS change to propagate.
Step 4: Test mutual authentication
This example uses Chrome on a Windows client.
Install the client certificate on the client device. Double-click the downloaded client certificate file (
.pfxor.p12) and follow the system certificate import prompts to complete the installation.In Chrome, navigate to
https://<your domain name>. When the certificate selection dialog appears, select the client certificate.Refresh the browser and verify if the client can access the domain.