How to configure mutual authentication on an HTTPS listener - Server Load Balancer

Mutual authentication improves the security of business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of an Application Load Balancer (ALB) instance.

Background information

One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. The client downloads the public key certificate from the server for authentication. A connection can be established after the identity of the server is authenticated.
Mutual authentication: The client downloads the server certificate (public key certificate) from the server and uploads the client certificate (public key certificate) to the server for authentication. A connection can be established only after both the client and the server are authenticated. Mutual authentication provides higher security.

Limits

Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

Prerequisites

A standard or WAF-enabled ALB instance is created. For more information, see Create an ALB instance.
Note
Basic ALB instances do not support mutual authentication.
Two Elastic Compute Service (ECS) instances are created and different NGINX services are deployed on the ECS instances. In this example, the ECS instances are referred to as ECS01 and ECS02. For more information, see Create an instance by using the wizard and Manually build an LNMP stack on an Alibaba Cloud Linux 2 instance.
A server group is created and ECS01 and ECS02 are added to the server group. For more information, see Create and manage a server group.
A server certificate is purchased or uploaded in the Certificate Management Service console. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
An intermediate CA certificate is purchased in the Certificate Management Service console, and at least one private intermediate CA certificate is available. For more information, see Purchase and enable a private CA.

Procedure

配置步骤

Note

On the server side, a server certificate must be purchased. On the client or user side, a client certificate must be obtained, exported, and installed.

Step 1: Prepare a server certificate

You can purchase or upload a server certificate in the Certificate Management Service console, or upload a third-party server certificate. A browser verifies the identity of a server by checking whether the certificate sent by the server is issued by a trusted certificate authority (CA).

In this example, a server certificate is purchased from the Certificate Management Service console. For more information about how to purchase a server certificate, see Purchase an SSL certificate and Upload an SSL certificate.

Note

Make sure that you have a valid domain name to associate with the certificate.

Step 2: Prepare a client certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, click the Private CAs tab and find the root CA certificate.
Click the icon and click Apply for Certificate in the Actions column.

In the Apply for Certificate panel, configure the parameters and click Confirm.

The following table describes only the parameters that are relevant to this topic. For more information, see Manage private certificates.

Parameter	Description
Certificate Type	Select the type of private certificate that you want to obtain. In this example, Client Certificate is selected.
Common Name	Specify the common name on the private certificate. In this example, the domain name of the ALB instance is specified.
Validity Period	Specify a validity period for the private certificate. The validity period of the private certificate cannot exceed the subscription duration of the Private Certificate Authority (PCA) service that you purchase. In this example, the default validity period is used, which is 30 days.

The private certificate is issued immediately after the request is submitted. To view the details of the issued private certificate, find the private certificate and click Certificates in the Actions column. You can view the information about the certificate on the Certificates page.

Step 3: Export the client certificate

If you have purchased a client certificate in the console and want to use the client certificate for mutual authentication, perform the following operations to export the client certificate:

Log on to the Certificate Management Service console.
In the left-side navigation pane, click Private Certificates.
On the Private Certificates page, click the Private CAs tab and find the root CA certificate.
Find the root CA certificate and click the icon. Then, find the intermediate CA certificate and click Certificates in the Actions column.
On the Certificates page, find the client certificate that you want to manage and click Download in the Actions column. Select the PFX format that is recognizable by browsers as the certificate format. The certificate file includes a .pfx client certificate file and a .txt password file that is used to encrypt the client private key.

Step 4: Install the client certificate

Install the client certificate on the client based on the installation guide.

In this example, the Windows operating system is used.

Step 5: Configure mutual authentication on an HTTPS listener

Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance that you want to manage.

On the Listener tab, click Create Listener, configure the parameters, and then click Next.

The following table describes some of the parameters. Use the default values for other parameters.

Parameter

Description

Select Listener Protocol

Select a listener protocol.

In this example, HTTPS is selected.

Listener Port

Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used.

In the SSL Certificate step, select the server certificate purchased in Step 1.
Click Modify to show the advanced settings and turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud as the source of the CA certificate. Select the CA certificate that you purchased in Step 2: Obtain a client certificate from the Default CA Certificate drop-down list.
Select a TLS security policy and click Next.
In the Server Group step, configure the Server Type parameter and select a server group based on the Server Type parameter. Confirm the ECS instances (ECS01 and ECS02) and click Next.
In the Confirm step, confirm the configurations and click Submit.

Step 6: Configure domain name resolution

Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
Copy the domain name of your ALB instance.

To create a CNAME record, perform the following steps:

Log on to the Alibaba Cloud DNS console.
On the Manage DNS page, click Add Domain Name.
In the Add Domain Name dialog box, enter the domain name and click OK.
Important
- Enter the domain name that is associated with the server certificate.
- Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.
Find the domain name that you want to manage and click DNS Settings in the Actions column.
On the DNS Settings page, click Add Record.

In the Add DNS Record panel, configure the following parameters and click OK.

Parameter	Description
Record Type	Select CNAME from the drop-down list.
Hostname	Enter the prefix of your domain name.
DNS Request Source	Select Default.
Record Value	Enter the CNAME, which is the domain name of the ALB instance.
TTL	Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

Note

After you create a CNAME record, it immediately takes effect. After you modify a record, the record takes effect based on the TTL of the record. By default, the TTL is 10 minutes.
If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name. For more information, see Rules for conflicting DNS records.

Step 7: Test whether mutual authentication works as expected

Log on to the ALB console.
In the top navigation bar, select the region in which the ALB instance is deployed.
On the Instances page, click the ID of the ALB instance. Then, click the Listener tab to view the health check status of the HTTPS listener.
If Healthy is displayed in the Health Check Status column, it indicates that the backend servers can process requests forwarded by the ALB instance.
Visit https://domain:port from your browser. In the dialog box that appears, select the client certificate and click OK.
If you refresh the page, requests are distributed between ECS01 and ECS02, as shown in the following figures.