mTLS Demo Site

This ALB demo contain ALB which has 4 Listeners and Lambda as Targets. All port 80 traffic get redirected to port 443 by ALB. Lambda Functions served as Front end for our applications running on port 443. We have also configured ALB to perform the mTLS authentication on port 8443 in verify mode and port 8444 in passthrough mode.Following is the ALB set up we are using for this demo.

mTLS in Verify Mode

Step1: Lets first send a request to ALB on port 8443 without any client certficate and we will notice mTLS is failed to establish.

Step2:Now Lets create Certficate Signing Request(CSR) which we can then pass to Certificate authority to request a certficate. You can use the following command to generate CSR.

openssl req -out client-csr.csr -new -newkey rsa:2048 -nodes -keyout client-key.pem

You should have 2 files now: client.csr and client-key.pem. In the next step you have an option upload client.csr file. Keep the client-key.pem secure and do not share with anyone.

Windows users who do not have OpenSSL installed may follow the steps mentioned here to generate CSR.

Step 3: Click on Request Certficate which should return presigned URL for you to securely upload the CSR file to the S3 bucket. Browse the client.csr and click upload. if the Upload successful you should get a message saying CSR file uploaded succesfully.

Step 4: Generate Certficate using AWS Private Certficate Authority . Please Click the Generate Certificate Button Below which will pass the CSR file you have uploaded and Issue and sign the Certficate.

Genrating Certificate , This may take a while. Please Wait...

Step 5: Test the mTLS using cURL by including the Issued Certificate .

curl -v https://mtls.navaztheking.com:8443 --key client-key.pem --cert yourdownloaded.cert

ALB send Client Certficate information to the Target using following HTTP headers as you can see from above output.

Header	Description
X-Amzn-Mtls-Clientcert-Serial-Number	This header contains a hexadecimal representation of the leaf certificate serial number.
X-Amzn-Mtls-Clientcert-Issuer	This header contains an RFC2253 string representation of the issuer's distinguished name (DN).
X-Amzn-Mtls-Clientcert-Subject	This header contains an RFC2253 string representation of the subject's distinguished name (DN).
X-Amzn-Mtls-Clientcert-Validity	This header contains an ISO8601 format of the notBefore and notAfter date.
X-Amzn-Mtls-Clientcert-Leaf	This header contains a URL-encoded PEM format of the leaf certificate, with +=/ as safe characters.

mTLS in Passthrough Mode

When you use mutual TLS passthrough mode, Application Load Balancer sends the whole client certificate chain to the target using HTTP headers. Then, by using the client certificate chain, you can implement corresponding authentication and authorization logic in your application . Here is the HTTP Header inserted by ALB

curl -v https://mtls.navaztheking.com:8444 --key client-key.pem --cert yourdownloaded.cert

Header	Description
X-Amzn-Mtls-Clientcert	This header contains the URL-encoded PEM format of the entire client certificate chain presented in the connection, with +=/ as safe characters..