This ALB demo contain ALB which has 4 Listeners and Lambda as Targets. All port 80 traffic get redirected to port 443 by ALB. Lambda Functions served as Front end for our applications running on port 443. We have also configured ALB to perform the mTLS authentication on port 8443 in verify mode and port 8444 in passthrough mode.Following is the ALB set up we are using for this demo.
mTLS in Verify Mode
Step1: Lets first send a request to ALB on port 8443 without any client certficate and we will notice mTLS is failed to establish.
Step2:Now Lets create Certficate Signing Request(CSR) which we can then pass to Certificate authority to request a certficate. You can use the following command to generate CSR.
You should have 2 files now: client.csr and client-key.pem. In the next step you have an option upload client.csr file. Keep the client-key.pem secure and do not share with anyone.
Windows users who do not have OpenSSL installed may follow the steps mentioned here to generate CSR.
Step 3: Click on Request Certficate which should return presigned URL for you to securely upload the CSR file to the S3 bucket. Browse the client.csr and click upload. if the Upload successful you should get a message saying CSR file uploaded succesfully.
Generating Pre-signed URL...Please wait
Pre Signed URL issued . Please proceed wih uploading CSR.
Step 4: Generate Certficate using AWS Private Certficate Authority . Please Click the Generate Certificate Button Below which will pass the CSR file you have uploaded and Issue and sign the Certficate.
Genrating Certificate , This may take a while. Please Wait...
Certifcate Generated Succesfully! Click the Download Certifcate button to download the Cert to your local machine
Step 5: Test the mTLS using cURL by including the Issued Certificate .
ALB send Client Certficate information to the Target using following HTTP headers as you can see from above output.
Header
Description
X-Amzn-Mtls-Clientcert-Serial-Number
This header contains a hexadecimal representation of the leaf certificate serial number.
X-Amzn-Mtls-Clientcert-Issuer
This header contains an RFC2253 string representation of the issuer's distinguished name (DN).
X-Amzn-Mtls-Clientcert-Subject
This header contains an RFC2253 string representation of the subject's distinguished name (DN).
X-Amzn-Mtls-Clientcert-Validity
This header contains an ISO8601 format of the notBefore and notAfter date.
X-Amzn-Mtls-Clientcert-Leaf
This header contains a URL-encoded PEM format of the leaf certificate, with +=/ as safe characters.
mTLS in Passthrough Mode
When you use mutual TLS passthrough mode, Application Load Balancer sends the whole client certificate chain to the target using HTTP headers. Then, by using the client certificate chain, you can implement corresponding authentication and authorization logic in your application . Here is the HTTP Header inserted by ALB