Deploy HTTPS services with CLB (mutual authentication)

更新时间:
复制 MD 格式

If one-way authentication is configured, an HTTPS connection can be established after the server is authenticated. If mutual authentication is configured, an HTTPS connection can be established only after both the client and the server are authenticated. Mutual authentication provides higher security. You can configure mutual authentication to protect your business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of a CLB instance.

Procedure

In this example, a self-signed certificate authority (CA) certificate is used to sign the client certificate. Perform the following steps to configure mutual authentication on the HTTPS listener.

Configure mutual authentication on an HTTPS listener of a CLB instance

Prerequisites

  • You have created a CLB instance.

  • You have created two backend servers, ECS01 and ECS02, each running a different application.

Step 1: Purchase a server certificate

You can purchase a server certificate from the Alibaba Cloud Certificate Management Service console or from other service providers. You can use a browser to check if the certificate sent by the server is issued by a trusted authority.

This topic uses a server certificate purchased from the Alibaba Cloud Certificate Management Service console as an example. For more information, see Purchase an SSL certificate.

Important

Make sure that you have a valid domain name to associate with the certificate.

Step 2: Generate a CA certificate by using OpenSSL

In mutual authentication, the server certificate must be issued by an authoritative CA to be trusted by browsers (Step 1). However, because you manage and distribute client certificates, they do not require a public trust chain. Therefore, you can use a self-signed CA certificate to issue them. Follow these steps to generate a self-signed CA certificate for issuing client certificates.

Log on to any Linux machine on which OpenSSL is installed.

  1. Run the following command to create the private key for the root certificate:

    openssl genrsa -out root.key 4096
  2. Run the following command to create a certificate signing request (CSR) file for the root certificate:

    openssl req -new -out root.csr -key root.key

    Enter the information as prompted. The following is an example:

    Note

    The Common Name for the CA certificate must be unique. Do not use the same Common Name as the server or client certificates.

    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:bj
    Locality Name (eg, city) [Default City]:bj
    Organization Name (eg, company) [Default Company Ltd]:alibaba
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your servers hostname) []:root
    Email Address []:a.alibaba.com
    A challenge password []:
    An optional company name []:
  3. Run the following command to create the root certificate:

    openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650

    The output is similar to the following:创建根证书

  4. Run ls to view the generated root certificate root.crt and the private key root.key.

Step 3: Generate a client certificate

  1. Run the following command to generate a private key for the client certificate:

  2. openssl genrsa -out client.key 4096
  3. Run the following command to generate a CSR file for the client certificate. Set Common Name to your domain name.

  4. openssl req -new -out client.csr -key client.key
  5. Run the following command to generate the client certificate:

  6. openssl x509 -req -in client.csr -out client.crt -CA root.crt -CAkey root.key -CAcreateserial -days 3650
  7. Run the following command to convert the generated client certificate client.crt into a PKCS12 file that can be recognized by a browser. Follow the prompts to enter the encryption password that you set for the client private key.

  8. openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
  9. Run ls to view the generated client certificate files: client.key, client.crt, and client.p12.

Step 4: Install the client certificate

Install the client certificate on the client.

Windows client

Double-click the client.p12 file and follow the Certificate Import Wizard to install it.

Linux client

Upload the client.key, client.crt, and root.crt files to any directory on your Linux client.

In this example, the directory is /home/ca. Run sudo chmod 700 /home/ca to modify the directory permissions.

Step 5: Upload the server certificate and the CA certificate

  1. Log on to the CLB console.

  2. In the left-side navigation pane, choose CLB > Certificates, and then click Add Certificate to upload the server certificate.

  3. In the Add Certificate panel, click Third-party Certificates, configure the following parameters, and then click Create.

    Parameter

    Description

    Certificate Name

    Enter a name for the certificate.

    Certificate Type

    Select Server Certificate.

    Public key certificate

    The content of the server certificate. Paste the content to the editor.

    Private Key

    The private key of the server certificate. Paste the private key to the editor.

    Region

    Select the region of the CLB instance.

  4. On the Certificates page, click Add Certificate to upload the CA certificate.

  5. In the Add Certificate panel, click Third-party Certificates, configure the following parameters, and then click Create.

    Parameter

    Description

    Certificate Name

    Enter a name for the certificate.

    Certificate Type

    Select CA Certificate.

    Client CA Certificate

    Upload the public key certificate of the client.

    Region

    Select the region of the CLB instance.

Step 6: Configure mutual authentication on an HTTPS listener

Warning

CLB rejects requests from clients without an installed certificate. If your CLB instance is in a production environment, test this configuration in a staging environment first. Alternatively, use a new listening port to avoid disrupting existing services.

  1. Log on to the Classic Load Balancer console.

  2. Click the ID of the CLB instance that you created.

  3. On the Listeners tab, click Add Listener.

  4. On the Protocol & Listener tab, configure the following parameters, and then click Next.

    • Select Listener Protocol: HTTPS

    • Listener Port: 443

  5. On the Certificate Management Service tab, select the server certificate that you uploaded.

  6. Click Modify next to Advanced Settings, enable mutual authentication, select the uploaded CA certificate, and then click Next.

  7. Select Default Server Group and click Add to add backend servers.

  8. Accept the default values for the remaining parameters, clicking Next to proceed through the wizard. On the final page, click Submit to create the listener.

Step 7: Test the mutual authentication feature

Windows client

  1. In a browser, enter https://ip:port, where ip is the public IP address of the CLB. In the dialog box that appears, confirm the certificate as prompted.

  2. Refresh the web page. You can find that the requests are evenly distributed to the backend servers.

    ECS01ECS02

Linux client

Log on to the Linux client where the certificates are installed and run the following command to verify the CLB mutual authentication:

sudo curl --cert /home/ca/client.crt --key /home/ca/client.key --cacert /home/ca/root.crt https://<the domain name on the server certificate>:<port>

If the following echo reply packet is returned, the client and the server have completed mutual authentication and requests are distributed to the ECS instances.Verification 1