All Products
Search
Document Center

Server Load Balancer:Configure mutual authentication on an HTTPS listener

Last Updated:Jan 17, 2024

You can configure mutual authentication to ensure higher security for your business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of an Application Load Balancer (ALB) instance.

Background information

  • One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. The client downloads the public key certificate from the server for authentication. A connection can be established after the identity of the server is verified.

  • Mutual authentication: The client downloads the server certificate (public key certificate) from the server and uploads the client certificate (public key certificate) to the server for authentication. A connection can be established only after both the client and the server are verified. Mutual authentication provides higher security.

ALB quotas

Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

Prerequisites

Procedure

配置步骤

Note

On the server side, a server certificate must be purchased. On the client or user side, a client certificate must be obtained, exported, and installed.

Step 1: Prepare a server certificate

You can purchase or upload a server certificate in the Certificate Management Service console, or upload a third-party server certificate. A browser authenticates the identity of a server by checking whether the certificate sent by the server is issued by a trusted CA.

In this example, a server certificate is purchased from the Certificate Management Service console. For more information about how to purchase a server certificate, see Purchase an SSL certificate and Upload an SSL certificate.

Note

Make sure that you have a valid domain name to associate with the certificate.

Step 2: Prepare a client certificate

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, click Private Certificates.

  3. On the Private Certificates page, click the Private CAs tab and find the root CA certificate.

  4. Click the icon icon and click Apply for Certificate in the Actions column.

  5. In the Apply for Certificate panel, set the following parameters and click Confirm.

    The following section describes the parameters that are relevant to this topic. For more information, see Manage private certificates.

    Parameter

    Description

    Certificate Type

    Select the type of private certificate that you want to obtain. In this example, Client Certificate is selected.

    Common Name

    Specify the common name. You can specify an email address or a URL for a client certificate.

    In this example, the domain name of the ALB instance is specified.

    Validity Period

    Specify a validity period for the private certificate. The validity period of the private certificate cannot exceed the subscription duration of the Private Certificate Authority (PCA) service that you purchase.

    In this example, the default validity period is used, which is 30 days.

    The private certificate is issued immediately after the request is submitted. To view the details of the issued private certificate, find the private certificate and click Certificates in the Actions column. You can view the information about the certificate on the Certificates page.

Step 3: Export the client certificate

If you have purchased a client certificate in the console and want to use the client certificate for mutual authentication, perform the following operations to export the client certificate:

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, click Private Certificates.

  3. On the Private Certificates page, click the Private CAs tab and find the root CA certificate.

  4. Find the root CA certificate and click the icon icon. Then, find the subordinate CA certificate and click Certificates in the Actions column.

  5. On the Certificates page, find the client certificate that you want to manage and click Details in the Actions column. In the Certificate Details panel, select View Private Key Content.

  6. In the Password field, specify a password to encrypt the private key and click Export.

    After the private certificate is exported, the following information appears in the lower part of the Certificate Details panel: Certificate Information, Complete Certificate Chain Content, and Private Key Content.

    Note

    The specified password is used to encrypt the private key when the certificate is exported. When you install the certificate, you must use the password to decrypt the private key.

  7. Create two text files and paste the content of the certificate and private key separately into the files. Save the file that contains the certificate with the .crt extension and save the file that contains the private key with the .key extension. Rename the certificate file client.crt, and rename the private key file client.key.

  8. Convert the client certificate to a PKCS12 file that can be verified by most browsers.

    1. Remotely log on to ECS01. For more information, see Connection method overview.

    2. Run the following command to create a folder to store the client certificate:

      mkdir -p /root/ca/users
    3. Upload the client certificate client.crt and the private key client.key generated in Step 7 to the users folder.

    4. Run the following command to convert the client certificate to a PKCS12 file:

      openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
    5. Enter the password of the private key specified in Step 6 as promoted.

    6. Enter the password that is used to export the client certificate. This password is used to protect the client certificate and is required when the client certificate is installed.

      The following figure shows the result.P12

  9. Run the following commands to view the client certificate:

    cd /root/ca/users
    ls

    The following figure shows the result.客户端证书

  10. Open the CLI on the on-premises machine and run the following command to export the client certificate generated in Step 3:

    scp root@IPaddress:/root/ca/users/client.p12 ./          //IPaddress indicates the IP address of the server that generates the client certificate.

    Enter the password of the server that generates the root CA certificate as prompted.

Step 4: Install the client certificate

Install the client certificate on the client. In this example, the Microsoft Edge browser is used.

Import the client certificate to Microsoft Edge.

  1. Open Microsoft Edge and choose ... > Settings.

  2. In the left-side navigation pane, click the Privacy, search, and services tab. Then, click Manage certificates in the Security section and import the client certificate. You must enter the password specified in Step 8.

Step 5: Configure mutual authentication on an HTTPS listener

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region where the ALB instance resides. In this example, China (Hangzhou) is selected.

  3. On the Instances page, click the ID of the ALB instance that you want to manage.

  4. On the Listener tab, click Create Listener, set the following parameters and click Next.

    The following table describes some of the parameters. Use the default values for other parameters. For more information, see Add an HTTPS listener to a CLB instance.

    Parameter

    Description

    Select Listener Protocol

    Select a listener protocol.

    In this example, HTTPS is selected.

    Listener Port

    Enter the port on which the ALB instance listens. The ALB instance listens on the port and forwards requests to backend servers. In this example, port 443 is used.

    In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Listener Name

    Enter a name for the listener.

    Advanced Settings

    You can click Modify to configure advanced settings.

    Note

    In this example, the default setting is used.

    Enable HTTP/2

    Specify whether to enable HTTP/2 for the listener. The default value is used in this example, which means HTTP/2 is enabled.

  5. On the SSL Certificate wizard page, select the server certificate purchased in Step 1.

  6. Click Modify to show the advanced settings and turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud as the source of the CA certificate. Select the CA certificate that you purchased in Step 2: Obtain a client certificate from the Default CA Certificate drop-down list.

    If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

  7. Select a TLS security policy and click Next.

  8. On the Server Group wizard page, set the Server Type parameter and select a server group based on the Server Type parameter. Confirm the ECS instances (ECS01 and ECS02) and click Next.

  9. In the Confirm step, confirm the configurations and click Submit.

Step 6: Configure domain name resolution

Create a CNAME record to map the domain name of the server certificate in Step 1 to the publicly-accessible domain name of the ALB instance.

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region where the ALB instance resides. In this example, China (Hangzhou) is selected.

  3. Copy the domain name of your ALB instance. In this example, the domain name of the standard ALB instance is used.

  4. To create a CNAME record, perform the following steps:

    1. Log on to the Alibaba Cloud DNS console.

    2. On the Manage DNS page, click Add Domain Name.

    3. In the Add Domain Name dialog box, enter your domain name and click OK.

      Important
      • Enter the domain name that is associated with the server certificate.

      • Before you create the CNAME record, you must use a TXT record to verify the ownership of the domain name.

    4. Find the domain name that you want to manage and click DNS Settings in the Actions column.

    5. On the DNS Settings page, click Add Record.

    6. In the Add DNS Record panel, configure the following parameters and click OK.

      Parameter

      Description

      Record Type

      Select CNAME from the drop-down list.

      Hostname

      Enter the prefix of your domain name.

      DNS Request Source

      Select Default.

      Record Value

      Enter the CNAME, which is the domain name of the ALB instance.

      TTL

      Select a time-to-live (TTL) value for the CNAME record to be cached on the DNS server. The default value is used in this example.

      Note
      • After you create a CNAME record, it immediately takes effect. After you modify a record, the record takes effect based on the TTL of the record. By default, the TTL is 10 minutes.

      • If the CNAME record that you want to create conflicts with an existing record, we recommend that you specify another domain name. For more information, see Rules for conflicting DNS records.

Step 7: Test the mutual authentication feature

  1. Log on to the ALB console.

  2. In the top navigation bar, select the region where the ALB instance resides. In this example, China (Hangzhou) is selected.

  3. On the Instances page, click the ID of the ALB instance. Then, click the Listener tab to view the health check status of the HTTPS listener.

    If Healthy is displayed in the Health Check Status column, it indicates that the backend servers can process requests forwarded by the ALB instance.

  4. Enter the domain name of the server certificate into your browser. In the dialog box that appears, select the client certificate and click OK.

  5. If you refresh the page, requests are alternately forwarded between ECS01 and ECS02, as shown in the following figures.

    ecs01

    ecs02