Standard HTTPS only verifies the server — any client can connect. Mutual TLS (mTLS) requires both the server and the client to present valid certificates, so only clients with a certificate signed by your trusted CA can establish a connection. By enforcing mTLS at the Application Load Balancer (ALB) listener, unauthorized connections are rejected before they reach your backend.
This setup is suited for finance, IoT, enterprise internal services, and public-sector applications that handle private data.
How it works
| Authentication type | Server verified by client | Client verified by server |
|---|---|---|
| One-way (standard HTTPS) | Yes | No |
| Mutual (mTLS) | Yes | Yes |
In mutual authentication, the server holds a CA certificate and the client holds an SSL or TLS certificate signed by that CA. ALB validates the client certificate against the CA certificate on every connection. A secure channel is established only after both sides verify each other's identity.
Prerequisites
Before you begin, ensure that you have:
-
An SSL or TLS certificate configured on your ALB listener. For details, see Configure HTTPS certificates for encrypted communication
-
A root CA certificate, obtained by either:
-
Purchasing a private CA from the Certificate Management Service console — see Purchase and enable a private CA
-
Generating a self-signed root CA certificate by following Step 1 in this topic
-
(Optional) Step 1: Generate a self-signed root CA certificate
Generate a root CA certificate locally and upload it to the Certificate Management Service console.
Generate the certificate
-
Create a private key:
openssl genrsa -out ca.key 4096 -
Create a certificate signing request (CSR):
Field Description Required Country Name Two-letter country code, e.g., cnfor ChinaYes State or Province Name Full state or province name Yes Locality Name City name Yes Organization Name Company or organization name Yes Organizational Unit Name Department or unit name Yes Common Name Domain name for the certificate No Email Address Contact email for the certificate administrator No A challenge password Password to authenticate CSR access. Leave blank if not needed No An optional company name Leave blank if not needed No openssl req -new -out ca.csr -key ca.keyWhen prompted, enter values for the following fields:
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:root Email Address []:a.alibaba.com A challenge password []: An optional company name []: -
Create the root CA certificate:
-
ca.crt— root CA certificate (used in Step 3 to configure the AlbConfig) -
ca.csr— CSR sent to the CA -
ca.key— private key (used in Step 2 to sign the client certificate)
ImportantKeep
ca.keyconfidential. Anyone with access to the private key can issue trusted client certificates.openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650Run
lsto confirm the following files are present:ca.crt ca.csr ca.key -
Upload the CA certificate
-
Log on to the Certificate Management Service console. In the left-side navigation pane, click Certificate Application Repository.
-
Click Create Repository. In the panel that appears, set the following parameters and click OK:
Parameter Description Repository Name Enter a custom name Data Source Click Uploaded Certificates and then select a private certificate purchased and issued from a third-party certificate service provider -
Click the repository you created. On the Manage Certificates page, click Uploaded Certificates.
-
In the CA Information panel, set the following parameters and click Confirm and Enable:
Parameter Description Package Name Enter a custom name for the certificate CA Certificates Paste the PEM-encoded content of ca.crt, or click Upload to select the fileCertificate Key Paste the PEM-encoded content of ca.key
Step 2: Generate a client certificate
Use the self-signed CA certificate from Step 1 to issue a client certificate. This certificate is presented by clients to authenticate with the ALB listener.
-
Generate a private key for the client certificate:
openssl genrsa -out client.key 4096 -
Generate a CSR for the client certificate:
openssl req -new -out client.csr -key client.key -
Sign the client certificate with the root CA from Step 1:
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650Run
lsto confirm the following files are present:client.crt client.csr client.key
Step 3: Configure an AlbConfig to enable mutual authentication
The AlbConfig resource defines the ALB instance and its listeners. Setting caEnabled: true on a listener enables mTLS — ALB requires and verifies a client certificate on every HTTPS connection to that listener.
You need two certificate IDs from the Certificate Management Service console:
-
Server certificate ID — navigate to SSL Certificates > Actions icon > Details > Certificate Details panel
-
Root CA certificate ID — navigate to Certificate Application Repository > your repository > Manage Certificates > Details > Certificate Details panel
Apply an AlbConfig with the following structure:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
name: alb-test
addressType: Intranet
# Specify at least two vSwitches in different zones.
# The zones must be supported by ALB and belong to the same virtual private cloud (VPC) as the cluster.
zoneMappings:
- vSwitchId: vsw-2zednnurkug2xl4******
- vSwitchId: vsw-2zeusdspvojoumx******
listeners:
- port: 443
protocol: HTTPS
caEnabled: true # Enables mutual authentication
caCertificates:
- CertificateId: 0e40dda998174723af39d37fcaf***** # Root CA certificate ID
certificates:
- CertificateId: 108*****-cn-hangzhou # Server certificate ID
IsDefault: trueStep 4: Test mutual authentication
Deploy a test service and verify that ALB enforces client certificate validation.
-
Create a file named
coffee.yamlwith the following content:apiVersion: apps/v1 kind: Deployment metadata: name: coffee spec: replicas: 2 selector: matchLabels: app: coffee template: metadata: labels: app: coffee spec: containers: - name: coffee image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: coffee-svc spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: app: coffee type: NodePort --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/listen-ports: | [{"HTTPS": 443}] name: alb-ingress spec: ingressClassName: alb rules: - host: alb.ingress.alibaba.com # Replace with your actual domain name. http: paths: - path: / pathType: Prefix backend: service: name: coffee-svc port: number: 80 -
Deploy the test service:
kubectl apply -f coffee.yamlExpected output:
deployment.apps/coffee created service/coffee-svc created ingress.networking.k8s.io/alb-ingress created -
Get the elastic IP address (EIP) of the ALB instance:
-
Log on to the ALB console and select the region where the ALB instance is deployed.
-
On the Instances page, click the ALB instance.
-
In the Zone section of the instance details page, find the EIP associated with the vSwitch.
-
-
Add a DNS record to your local
hostsfile to map the domain name to the EIP:123.XX.XX.XX alb.ingress.alibaba.com -
Test access with the client certificate:
curl https://alb.ingress.alibaba.com/ --cert client.crt --key client.keyThe server returns a response and redirects to an HTML page. This confirms that ALB accepted the client certificate.
What's next
-
If errors occur when you use ALB, refer to the ALB documentation first. For more information, see ALB Ingress controller troubleshooting and FAQ about ALB Ingresses.