You can configure mutual authentication to ensure higher security for your business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of an Application Load Balancer (ALB) instance.

Background information

  • One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. The client downloads the public key certificate from the server for authentication. A connection can be established after the identity of the server is verified.
  • Mutual authentication: The client downloads the server certificate (public key certificate) from the server and uploads the client certificate (public key certificate) to the server for authentication. A connection can be established only after both the client and the server are verified. Mutual authentication provides higher security.

ALB quotas

Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

Prerequisites

Procedure

Procedure
Note On the server side, a server certificate must be purchased. On the client or user side, a client certificate must be obtained, exported, and installed.

Step 1: Purchase a server certificate

You can purchase or upload a server certificate in the Certificate Management Service console or purchase a server certificate from another service provider. A browser verifies the identity of a server by checking whether the certificate sent by the server is issued by a trusted CA.

In this example, the server certificate is purchased from Alibaba Cloud Certificate Management Service console. For more information about how to purchase a server certificate, see Purchase an SSL certificate and Upload an SSL certificate.
Note Make sure that you have a valid domain name to associate with the certificate.

Step 2: Obtain a client certificate

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, click the Private CAs tab and find the root CA certificate.
  4. Click the icon icon and click Apply for Certificate in the Actions column.
  5. In the Apply for Certificate panel, set the following parameters and click Confirm.
    The following section describes the parameters that are relevant to this topic. For more information about how to apply for a certificate, see Manage private certificates.
    ParameterDescription
    Certificate TypeSelect the type of private certificate that you want to obtain. In this example, Client Certificate is selected.
    Common NameSpecify the common name. You can specify an email or a URL for a client certificate.

    In this example, the domain name of the ALB instance is specified.

    Validity PeriodSpecify a validity period for the private certificate. The validity period of the private certificate cannot exceed the subscription duration of the Private Certificate Authority (PCA) service that you purchase.

    In this example, the default validity period is used, which is 30 days.

    The private certificate is issued immediately after the request is submitted. To view the details of the issued private certificate, find the private certificate and click Certificates in the Actions column. You can view the information about the certificate on the Certificates page.

Step 3: Export the client certificate

If you have purchased a client certificate in the console and want to use the client certificate for mutual authentication, perform the following operations to export the client certificate:

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. On the Private Certificates page, click the Private CAs tab and find the root CA certificate.
  4. Find the root CA certificate and click the 123 icon. Then, find the subordinate CA certificate and click Certificates in the Actions column.
  5. On the Certificates page, find the client certificate that you want to manage and click Details in the Actions column. Select View Private Key Content in the Details panel.
  6. In the Password field, specify a password for the private key and click Export.
    After the certificate is exported, the content of the certificate, certificate chain, and private key is displayed in the lower part of the Details panel.
    Note The specified password is used to encrypt the private key when the certificate is exported. When you install the certificate, you must use the password to decrypt the private key.
  7. Create two text files and paste the content of the certificate and private key separately into the files. Save the file that contains the certificate with the .crt extension and save the file that contains the private key with the .key extension. Rename the certificate file to client.crt and the private key file to client.key.
  8. Convert the client certificate to a PKCS12 file that can be verified by most browsers:
    1. Log on to ECS01. For more information, see Log on to an ECS instance.
    2. Run the following command to create a folder to store the client certificate: 
      mkdir -p /root/ca/users
    3. Upload the client certificate client.crt and the private key client.key generated in Step 7 to the users folder.
    4. Run the following command to convert the client certificate to a PKCS12 file: 
      openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
    5. Enter the password of the private key specified in Step 6 as promoted.
    6. Enter the password that is used to export the client certificate. This password is used to encrypt the client certificate and is required to install the client certificate.
      The following figure shows the result.P12
  9. Run the following commands to view the generated client certificate: 
    cd /root/ca/users
ls
    The following figure shows the result.The client certificate
  10. Open the CLI on the on-premises machine and run the following command to export the client certificate generated in Step 3: 
    scp root@IPaddress:/root/ca/users/client.p12 ./          //IPaddress specifies the IP address of the server.
    Enter the password of the server that generates the root CA certificate as prompted.

Step 4: Install the client certificate

Install the client certificate on the client. In this example, the Microsoft Edge browser is used.

Import the client certificate to the Microsoft Edge browser.
  1. Open the Microsoft Edge browser and choose ... > Settings.
  2. In the left-side navigation pane, click the Privacy, search, and services tab. Then, click Manage certificates in the Security section and import the client certificate. You must enter the password specified in Step 8.

Step 5: Configure mutual authentication on an HTTPS listener

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Hangzhou) is selected.
  3. On the Instances page, find the ALB instance that you want to manage and click its ID.
  4. On the Listener tab, click Create Listener, set the following parameters and click Next.
    The following table describes some of the parameters. Use the default values for other parameters. For more information, see Add an HTTPS listener.
    ParameterDescription
    Select Listener ProtocolSelect the protocol of the listener.

    HTTPS is selected in this example.

    Listener PortEnter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used.

    In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Listener NameEnter a name for the listener.
    Advanced SettingsClick Modify to configure advanced settings.
    Note In this example, the default advanced settings are used.
    Enable HTTP/2Specify whether to enable HTTP/2. The default value is used in this example, which means HTTP/2 is enabled.
  5. On the Configure SSL Certificates wizard page, select the sever certificate purchased in Step 1.
  6. Click Modify to show the advanced settings and turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud as the source of the CA certificate. Select the CA certificate that you purchased in Step 2: Obtain a client certificate from the Default CA Certificate drop-down list.

    If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

  7. Click Modify to show the advanced settings, turn on Enable Mutual Authentication, and select a certificate source as needed.
    In this example, select Alibaba Cloud. Then, select the CA certificate that you purchased in Step 2 from the Default CA Certificate drop-down list.
  8. Select a TLS security policy and click Next.
  9. On the Server Group wizard page, set the Server Type parameter and select a server group based on the Server Type parameter. Confirm the ECS instances (ECS01 and ECS02) and click Next.
  10. On the Confirm page, confirm the configurations and click Submit.

Step 6: Configure domain name resolution

Create a CNAME record to map the domain name of the server certificate in Step 1 to the publicly-accessible domain name of the ALB instance.
  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Hangzhou) is selected.
  3. In this example, the domain name of the standard ALB instance is used.
  4. To create a CNAME record, perform the following operations:
    1. Log on to the Alibaba Cloud DNS console.
    2. On the Manage DNS page, click Add Domain Name.
    3. In the Add Domain Name dialog box, enter a domain name and click OK.
      Important
      • Enter the domain name that is associated with the server certificate.
      • Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
    4. In the Actions column of the domain name that you want to manage, click Configure.
    5. On the DNS Settings page, click Add Record.
    6. In the Add Record panel, set the following parameters and click Confirm.
      ParameterDescription
      TypeSelect CNAME from the drop-down list.
      HostEnter the prefix of the domain name of your host.
      ISP LineSelect Default.
      ValueEnter the CNAME. The CNAME is the domain name of the ALB instance.
      TTLSelect the time-to-live (TTL) value of the record on the DNS server. In this example, the default value is used.
      Note
      • Newly created CNAME records immediately take effect. The time that is required for a modified CNAME record to take effect is determined by the TTL value. The default TTL value is 10 minutes.
      • If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name.

Step 7: Test the mutual authentication feature

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed. In this example, China (Hangzhou) is selected.
  3. On the Instances page, click the ID of the ALB instance. Then, click the Listener tab to view the health check status of the HTTPS listener.
    If the Health Check Status column displays Healthy, the backend servers can process requests forwarded by the ALB listener.
  4. Enter the domain name of the server certificate into your browser. In the dialog box that appears, select the client certificate and click OK.
  5. If you refresh the page, requests are switched between ECS01 and ECS02. You can view the following messages returned by the ECS instances.
    ecs01
    ecs02