• Elastic Load Balancing

elb
  1. Help Center
  2. Elastic Load Balancing
  3. User Guide
  4. Management
  5. Mutual Authentication

Mutual Authentication

Scenarios

Generally, the server must be authorized if HTTPS is used, and a certificate must be configured on the server. However, in some important services, such as bank payment, the identities of both communication parties need to be authenticated. This is called mutual authentication intended to ensure service security. In this case, you must configure a certificate for the client in addition to the certificate deployed on the server. The following describes how to configure mutual authentication on the management console.

Prepare Certificates

Server Certificate

The server certificate can be one signed by a certificate authority or a self-signed one. The following steps use a self-signed certificate as an example to describe how to create a server certificate.

  1. Log in to a Linux server with OpenSSL installed.
  2. Run the following commands to create the client directory and enter the directory:

    mkdir server

    cd server

  3. Create OpenSSL configuration file ca_cert.conf for the CA certificate. The file content is as follows:

    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    [ req_distinguished_name ]
     O                      = ELB

  4. Create OpenSSL configuration file server_cert.conf for the server certificate. The file content is as follows:

    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    [ req_distinguished_name ]
     O                      = ELB
     CN                     = www.test.com
    NOTE:

    Set the CN field to the domain name or IP address of the Linux server.

  5. Run the following commands to create CA certificate private key ca.key and server certificate private key server.key:

    openssl genrsa -out ca.key 2048

    openssl genrsa -out server.key 2048

  6. Run the following commands to create CA certificate CSR file ca.csr and server certificate CSR file server.csr:

    openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf

    openssl req -out server.csr -key server.key -new -config ./server_cert.conf

  7. Run the following commands to create self-signed CA certificate ca.crt and server certificate server.crt:

    openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key

    openssl x509 -req -in server.csr -out server.crt -sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key

Client Certificate

  1. Log in to a Linux server with OpenSSL installed.
  2. Run the following commands to create the client directory and enter the directory:

    mkdir client

    cd client

  3. Create OpenSSL configuration file ca_cert.conf for the CA certificate. The file content is as follows:

    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    [ req_distinguished_name ]
     O                      = ELB

  4. Create OpenSSL configuration file client_cert.conf for the CA certificate. The file content is as follows:

    [ req ]
    distinguished_name     = req_distinguished_name
    prompt                 = no
    [ req_distinguished_name ]
     O                      = ELB
     CN                     = www.test.com
    NOTE:

    Set the CN field to the domain name or IP address of the Linux server.

  5. Run the following commands to create CA certificate private key ca.key and server certificate private key client.key:

    openssl genrsa -out ca.key 2048

    openssl genrsa -out client.key 2048

  6. Run the following commands to create CA certificate CSR file ca.csr and server certificate CSR file client.csr:

    openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf

    openssl req -out client.csr -key client.key -new -config ./client_cert.conf

  7. Run the following commands to create self-signed CA certificate ca.crt and server certificate client.crt:

    openssl x509 -req -in ca.csr -out ca.crt -sha1 -days 5000 -signkey ca.key

    openssl x509 -req -in client.csr -out client.crt -sha1 -CAcreateserial -days 5000 -CA ca.crt -CAkey ca.key

  8. Run the following command to convert the client certificate format to .p12, which can be identified by the browser:

    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out clie

    NOTE:

    A password is required during command execution. Save this password, which is required when the certificate is imported to the browser.

Configure Certificates

Server Certificate and Private Key

  1. Log in to the management console.
  2. In the navigation pane, choose Certificates. On the displayed page, click Create Certificate. In the Create Certificate dialog box, select Server certificate, copy the content of server certificate server.crt created in Prepare Certificates to the Certificate Content area and the content of private key server.key to the Private Key area, and click OK.

    Figure 1 Create Certificate

    NOTE:

    The content of the certificate and private key must be PEM-encoded.

CA Certificate

  1. Log in to the management console.
  2. In the navigation pane, choose Certificates. On the displayed page, click Create Certificate. In the Create Certificate dialog box, select CA certificate, copy the content of CA certificate ca.crt created in Prepare Certificates to the Certificate Content area, and click OK.

    Figure 2 Create Certificate
    NOTE:

    The certificate content must be PEM-encoded.

Configure the Listener

Bind Certificates

  1. Log in to the management console.
  2. Locate the target load balancer and click its name. Under Listeners, click Add Listener. In the Add Listener dialog box, select HTTPS (Termination) for Frontend Protocol, enable Mutual Authentication, select the server certificate ID and CA certificate ID.

    Figure 3 Add Listener

    NOTE:

    Only enhanced load balancer listeners support mutual authentication.

Add Backend Servers

For detailed operations, see Backend Server (Enhanced Load Balancer).

Verify Functions

Import the Client Certificate Using a Browser

  1. Export the client certificate, that is, the .p12 certificate (client.p12) generated in 8.
  2. Double-click client.p12 and import the certificate as prompted. The system will ask you to enter a password, which is the one saved in 8.

Perform the Verification

Enter the server address in the browser address box. A window is displayed asking you to select the certificate. Select the client certificate and click OK. Access to the server is successful.

Figure 4 Accessing the website