Introduction to Mutual TLS with AWS ALB

Mutual TLS (mTLS) adds an extra layer of security by authenticating both the server and the client during a TLS handshake. It is widely used for secure communications in environments where both parties must establish a trusted connection between microservices or when allowing trusted clients to access a sensitive application. When implemented with AWS Application Load Balancer (ALB), mTLS ensures that only authorized clients can communicate with your applications, offering robust and certificate-based authentication. This guide will walk you through setting up mutual TLS with AWS ALB and ensuring secure application communication.

Overview of Mutual TLS and its Relevance to AWS Application Load Balancer

Mutual TLS is an extension of TLS (Transport Layer Security) in which both parties (client and server) present certificates to verify their identity. In the context of AWS ALB, mutual TLS allows the load balancer to authenticate its backend and ensure that the client accessing the application is trusted by verifying its certificate. This provides an enhanced level of security, especially for applications handling sensitive data or requiring high levels of authentication.

Prerequisites for Setting Up mTLS

Before implementing mutual TLS with AWS ALB, specific prerequisites must be fulfilled:

  1. AWS Account: Ensure you have an active AWS account with administrative access.
  2. Application Load Balancer (ALB): You should have an existing ALB deployed to handle incoming traffic.
  3. ACM (AWS Certificate Manager): A certificate for the server side should be available and issued by a trusted authority.
  4. OpenSSL: Install OpenSSL on your local machine to generate the necessary certificates.
  5. Amazon S3: An S3 bucket to store and manage your certificate files.

Generating x509v3 Certificates

To enable mutual TLS, you must generate both server and client certificates. Start by creating x509v3 certificates, essential for setting up TLS communications. Follow these steps using OpenSSL:

  1. Generate a Root CA: The certificate authority will issue the client certificates.
    openssl genpkey -algorithm RSA -out rootCA.key

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt

  1. Generate a Server Certificate: Your ALB will present this certificate.
    openssl genpkey -algorithm RSA -out server.key

openssl req -new -key server.key -out server.csr

openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256

Creating Client Certificates

Client certificates authenticate the client during the mutual TLS handshake. These certificates will be signed by your root CA to validate the client’s identity.

  1. Generate a Client Key and Certificate:
    openssl genpkey -algorithm RSA -out client.key

openssl req -new -key client.key -out client.csr

openssl x509 -req -in client.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client.crt -days 500 -sha256

  1. Bundle Client Certificates: To simplify the process, you can bundle the client key and certificate:
    cat client.crt client.key > client_bundle.pem

Uploading Trust Store to AWS

The trust store contains the root CA certificate that AWS ALB will use to authenticate client certificates. AWS requires the trust store to be uploaded to an S3 bucket.

  1. Upload the Root CA Certificate to S3:
    aws s3 cp rootCA.crt s3://your-bucket-name/
  2. Specify the S3 URL in the ALB Configuration: This will be referenced when configuring the ALB listener for mTLS.

Configuring ALB Listener for mTLS

Once the certificates are ready and uploaded to AWS, you can configure your ALB listener for mutual TLS.

  1. Navigate to ALB Settings: In the AWS Management Console, go to EC2 > Load Balancers, and select your ALB.
  2. Modify Listener: Choose the HTTPS listener and click “View/Edit Rules.”
  3. Enable mTLS: Configure the listener to require client certificates for authentication:
    • Select the Secure Listener.
    • Under TLS settings, choose the required client authentication option.
    • For the Trust Store, specify the S3 URL where your root CA certificate is stored.
  4. Save the Configuration: Save the changes to your ALB listener settings once configured.

Testing mTLS Configuration

Now that mTLS is configured, it’s time to test the setup to ensure only authorized clients can access the ALB.

  1. Test with Valid Client Certificate:

Use curl with the client certificate to test secure communication:
curl –key client.key –cert client_bundle.pem https://your-alb-dns-name

  • If successful, the ALB will accept and forward the request to the backend.
  1. Test with Invalid Client Certificate:

Attempt to connect without providing a valid certificate:
curl https://your-alb-dns-name

  • The ALB should deny the request, indicating that mTLS is functioning correctly.

Conclusion

Implementing mutual TLS with the AWS Application Load Balancer can significantly enhance your application’s security by ensuring the server and client are authenticated. This step-by-step guide covers the key components, including generating certificates, configuring the ALB listener, and testing the setup, ensuring that you can establish secure and trusted communication for your AWS applications.

References

Mutual Authentication with TLS in Application Load Balancer

Mutual authentication for Application Load Balancer reliably verifies certificate-based client identities