HTTPS mutual authentication ensures that both the server and the client verify each other's identity. In scenarios that involve sensitive information, such as banking and financial services, IoT, internal enterprise services, or government services, you can use HTTPS mutual authentication to ensure data security.
Comparison between HTTPS one-way and mutual authentication
-
With HTTPS one-way authentication, the client downloads the server's SSL/TLS certificate to authenticate the server and then establishes a secure communication channel. The server cannot authenticate the client's identity.
-
With HTTPS mutual authentication, the client downloads the server's SSL/TLS certificate for authentication. At the same time, the client must also provide its own SSL/TLS certificate to the server for authentication. A secure communication channel can be established only after both parties have authenticated each other. Typically, the server holds a root CA certificate, and the client's SSL/TLS certificate is issued by this root CA. This allows the server to authenticate the client's identity. Using HTTPS mutual authentication ensures that your service is accessible only to trusted clients. This prevents man-in-the-middle attacks and enhances security.
Prerequisites
-
You have configured an HTTPS certificate. For more information, see Configure HTTPS certificates for encrypted communication.
-
You have obtained a root CA certificate. You can obtain one in the following ways:
-
Purchase a certificate from the Certificate Management Service. For more information, see Purchase and enable a private CA.
-
Generate a self-signed certificate by following the optional steps in this topic.
-
(Optional) Step 1: Generate a self-signed root CA certificate
If you do not have a root CA certificate, follow these steps to generate one and upload it to the Certificate Management Service.
-
Run the following command to create a private key for the root CA certificate.
openssl genrsa -out ca.key 4096 -
Run the following command to create a certificate signing request (CSR) for the root CA certificate.
openssl req -new -out ca.csr -key ca.keyAfter you run the command, you are prompted to provide certificate information. The following example shows sample values for common parameters.
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:root Email Address []:a.alibaba.com A challenge password []: An optional company name []:The following table describes the parameters.
Parameter
Description
Country Name
(Required) The two-letter country code. For example, CN represents China.
State or Province Name
(Required) The name of the state or province.
Locality Name
(Required) The name of the city.
Organization Name
(Required) The name of the organization, such as a company name.
Organizational Unit Name
(Required) The name of the organizational unit.
Common Name
(Optional) The common name.
Email Address
(Optional) The email address of the certificate administrator.
A challenge password
(Optional) You can set a password to enhance the security of the CSR. This example does not set a password.
An optional company name
(Optional) The company name. This example does not set a company name.
-
Run the following command to create the root CA certificate.
openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650After the preceding operations are complete, run the
lscommand to view the root certificate's private key and certificate in the current directory.ca.crt ca.csr ca.keyca.crtis the root certificate file of a certificate authority.ca.csris the certificate signing request (CSR) file, andca.keyis the private key. In sub-step 7, you will upload theca.keyandca.crtfiles to set up the self-signed root CA certificate.ImportantThe private key is sensitive information. Do not disclose it.
-
Log on to the Certificate Management Service console. In the left-side navigation pane, click Certificate Application Repository.
-
On the Certificate Application Repository page, click Create Repository. In the Create Repository panel, configure the following parameters and then click OK.
Parameter
Description
Repository Name
Enter a custom name for the repository.
Data Source
Select Uploaded Certificates. This option allows you to manage private certificates issued by a third-party certificate service provider.
-
On the Certificate Application Repository page, click the certificate repository that you created in the previous step, and then click Uploaded Certificates.
-
In the CA Information panel, configure the parameters as described in the following table to upload the CA certificate that you created in sub-step 3, and then click Confirm and Enable.
Parameter
Description
Name
Enter a custom name for the private certificate that you want to upload.
Certificate File
Enter the PEM-encoded content of the private certificate file.
You can open the private certificate file in PEM or CRT format with a text editor, copy its content, and paste it into this text box. Alternatively, click Upload and Parse File.
Certificate Private Key
Enter the PEM-encoded content of the private certificate's private key.
Step 2: Generate a client certificate
You can purchase a client certificate in the console or issue one by using your self-signed CA.
This topic describes how to use the self-signed CA certificate from Step 1 to issue a client certificate. After you create a listener, you can use this client certificate to perform mutual authentication with the server.
-
Generate the private key for the client certificate.
openssl genrsa -out client.key 4096 -
Generate the CSR for the client certificate.
openssl req -new -out client.csr -key client.key -
Generate the client certificate.
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650The
CAandCAkeyparameters point to the root CA certificate created in Step 1. -
After the operation is complete, run the
lscommand to view the generated client certificate files in the current directory.client.crt client.csr client.key
Step 3: Create a listener for mutual authentication
-
Specify the server certificate that you created in Step 1 in the
Certificatesfield ofAlbconfigas the default server certificate.-
Log on to the Certificate Management Service console. In the left-side navigation pane, click SSL Certificates.
-
On the SSL Certificates page, find your server certificate, click the
icon in the Actions column, and then select Details. -
In the Certificate Details panel, you can view the certificate ID.
-
-
Add the root certificate ID from Step 1 to the
CertificateIdfield within thecaCertificateslist of the AlbConfig.-
Log on to the Certificate Management Service console. In the left-side navigation pane, click Certificate Application Repository.
-
On the Certificate Application Repository page, click the target certificate repository. On the Certificate Management page, click Details.
-
In the Certificate Details panel, you can view the certificate ID.
-
The following is a sample AlbConfig:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
name: alb-test
addressType: Intranet
# You must specify the vSwitch IDs of at least two different zones. The specified vSwitches must be in zones supported by ALB and in the same VPC as the cluster.
zoneMappings:
- vSwitchId: vsw-2zednnurkug2xl4******
- vSwitchId: vsw-2zeusdspvojoumx******
listeners:
- port: 443
protocol: HTTPS
caEnabled: true
caCertificates:
- CertificateId: 0e40dda998174723af39d37fcaf*****
certificates:
- CertificateId: 108*****-cn-hangzhou
IsDefault: trueStep 4: Test the mutual authentication
-
Copy the following content into a file named
coffee.yaml. This file deploys a test service through an Ingress and attaches it to the listener created in Step 3.apiVersion: apps/v1 kind: Deployment metadata: name: coffee spec: replicas: 2 selector: matchLabels: app: coffee template: metadata: labels: app: coffee spec: containers: - name: coffee image: registry.cn-hangzhou.aliyuncs.com/acs-sample/nginxdemos:latest ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: coffee-svc spec: ports: - port: 80 targetPort: 80 protocol: TCP selector: app: coffee --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: alb.ingress.kubernetes.io/listen-ports: | [{"HTTPS": 443}] name: alb-ingress spec: ingressClassName: alb rules: - host: alb.ingress.alibaba.com # You must add a DNS record for this host. http: paths: - path: / pathType: Prefix backend: service: name: coffee-svc port: number: 80 -
Run the following command to deploy the test service.
kubectl apply -f coffee.yamlExpected output:
deployment.apps/coffee created service/coffee-svc created ingress.networking.k8s.io/alb-ingress created -
Use the client certificate generated in Step 2 to access the service.
-
Log on to the ALB console. In the top navigation bar, select the region where you created the ALB instance.
-
On the Instances page, click the target instance.
-
On the Instance Details page, find the Zone section and obtain the elastic IP address of the ALB instance for that zone.
-
Map the elastic IP address to the domain name by adding an entry to your hosts file.
123.XX.XX.XX alb.ingress.alibaba.com -
After adding the host entry, access the service by using its domain name.
# Replace alb.ingress.alibaba.com with the actual domain name. You must also provide the full file paths for client.crt and client.key. curl https://alb.ingress.alibaba.com/ --cert client.crt --key client.keyThe expected output is an HTML page from the server.
-
Related documents
If you encounter errors when you use ALB, see ALB Ingress troubleshooting and ALB Ingress FAQ.