Implementing Secure Client Authentication on AWS EC2 with Mutual TLS and Nginx

In today’s digital landscape, securing client-server communications is crucial. Mutual TLS (mTLS) provides a robust mechanism for authenticating both parties, ensuring that only trusted clients can access your server. This guide will walk you through setting up mTLS on an AWS EC2 instance using Nginx, providing a secure environment for client authentication.

Prerequisites: Preparing Your AWS EC2 Server

Before diving into the configuration, ensure you have the following prerequisites in place:

• AWS Account: You’ll need an active AWS account to launch an EC2 instance.
• Custom Domain: A registered domain that you control.
• Basic Linux Knowledge: Familiarity with basic Linux commands will help.

Launching and Connecting to Your EC2 Instance via SSH

1. Launch an EC2 Instance:
   • Navigate to the EC2 Dashboard in the AWS Management Console.
   • Click “Launch Instance” and select an Amazon Machine Image (AMI) like Ubuntu 22.04.
   • Choose an instance type, such as t2.micro, and configure your security group to allow SSH (port 22) and HTTPS (port 443).
   • Generate a new key pair or use an existing one for SSH access.
2. Connect to Your EC2 Instance:

Open your terminal and connect to the EC2 instance using SSH:

ssh -i /path/to/your-key.pem ubuntu@your-ec2-public-ip

 

Installing Nginx and Obtaining a Custom Domain for Your Server

1. Install Nginx:

Update your package list and install Nginx:

sudo apt update

sudo apt install nginx -y

Start and enable Nginx:

sudo systemctl start nginx

sudo systemctl enable nginx

1. Obtain a Custom Domain:
   • Register a domain through a provider like Namecheap or GoDaddy.
   • Point your domain’s A record to your EC2 instance’s public IP address.

Obtaining SSL Certificates with Certbot

1. Install Certbot:

Install Certbot, which will help you obtain SSL certificates from Let’s Encrypt:

sudo apt install certbot python3-certbot-nginx -y

1. Acquire SSL Certificates:

Run Certbot to obtain SSL certificates for your domain:

sudo certbot –nginx -d yourdomain.com -d www.yourdomain.com

Certbot will automatically configure Nginx to use these certificates.

Configuring Mutual TLS on the Server-Side

1. Create a Dedicated Directory for Certificates:

Create a directory to store your certificates:

sudo mkdir /etc/nginx/ssl

cd /etc/nginx/ssl

1. Install OpenSSL:

Ensure OpenSSL is installed:

sudo apt install openssl -y

1. Generate a Certificate Authority (CA), Server Key, and Server Certificate:

Generate your CA key and certificate:

openssl genpkey -algorithm RSA -out ca.key

openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -out ca.crt

Create the server key and CSR (Certificate Signing Request):

openssl genpkey -algorithm RSA -out server.key

openssl req -new -key server.key -out server.csr

Sign the server certificate using your CA:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256

1. Generate a Client Key, Client Certificate, and PFX File:

Create the client key and CSR:

openssl genpkey -algorithm RSA -out client.key

openssl req -new -key client.key -out client.csr

Sign the client certificate using your CA:

openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256

Create a PFX file for browser compatibility:

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile ca.crt

1. Copy Certificates to Nginx and Adjust Permissions:

Move your certificates to /etc/nginx/ssl:

sudo cp server.crt server.key /etc/nginx/ssl/

sudo cp ca.crt /etc/nginx/ssl/

sudo chmod 600 /etc/nginx/ssl/*

1. Create a Custom Nginx Configuration File for MTLS:

Edit the Nginx configuration file:

sudo nano /etc/nginx/sites-available/default

 

Add the following lines to enable mTLS:

server {

    listen 443 ssl;

    server_name yourdomain.com;

    ssl_certificate /etc/nginx/ssl/server.crt;

    ssl_certificate_key /etc/nginx/ssl/server.key;

    ssl_client_certificate /etc/nginx/ssl/ca.crt;

    ssl_verify_client on;

    location / {

        try_files $uri $uri/ =404;

    }

}

Save and close the file.

1. Enable and Test the New Configuration:

Test and reload Nginx:

sudo nginx -t

sudo systemctl reload nginx

Setting Up Mutual TLS on the Client-Side

1. Configuring AWS Credentials and Transferring Certificates:

Download the client certificate and CA certificate to your local machine using SCP:

scp -i /path/to/your-key.pem ubuntu@your-ec2-public-ip:/etc/nginx/ssl/client.pfx ~/Downloads/

scp -i /path/to/your-key.pem ubuntu@your-ec2-public-ip:/etc/nginx/ssl/ca.crt ~/Downloads/

1. Import the Client Certificate into Your Browser:
   • Import the client.pfx file into your browser’s certificate store.

Testing Your Mutual TLS Setup

1. Accessing Your Website:
   • Open your browser and navigate to https://yourdomain.com.
   • If prompted, select the client certificate and proceed to the site.
2. Verify Successful MTLS Setup:
   • You can access your site securely with the client certificate if configured correctly.

Conclusion

Setting up Mutual TLS on an AWS EC2 instance with Nginx is a powerful way to ensure secure client-server communication. Following this guide, you can protect your server from unauthorized access and provide higher security for your applications.

References

Configure mutual TLS authentication for applications running on Amazon EKS

Mutual Authentication with TLS in Application Load Balancer