If one-way authentication is configured, an HTTPS connection can be established after the server is authenticated. If mutual authentication is configured, an HTTPS connection can be established only after both the client and the server are authenticated. Mutual authentication provides higher security. You can configure mutual authentication to protect your business-critical services. This topic describes how to configure mutual authentication on an HTTPS listener of a CLB instance.
Procedure
In this example, a self-signed certificate authority (CA) certificate is used to sign the client certificate. Perform the following steps to configure mutual authentication on the HTTPS listener.

Prerequisites
-
You have created a CLB instance.
-
You have created two backend servers, ECS01 and ECS02, each running a different application.
Step 1: Purchase a server certificate
You can purchase a server certificate from the Alibaba Cloud Certificate Management Service console or from other service providers. You can use a browser to check if the certificate sent by the server is issued by a trusted authority.
This topic uses a server certificate purchased from the Alibaba Cloud Certificate Management Service console as an example. For more information, see Purchase an SSL certificate.
Make sure that you have a valid domain name to associate with the certificate.
Step 2: Generate a CA certificate by using OpenSSL
In mutual authentication, the server certificate must be issued by an authoritative CA to be trusted by browsers (Step 1). However, because you manage and distribute client certificates, they do not require a public trust chain. Therefore, you can use a self-signed CA certificate to issue them. Follow these steps to generate a self-signed CA certificate for issuing client certificates.
Log on to any Linux machine on which OpenSSL is installed.
-
Run the following command to create the private key for the root certificate:
openssl genrsa -out root.key 4096 -
Run the following command to create a certificate signing request (CSR) file for the root certificate:
openssl req -new -out root.csr -key root.keyEnter the information as prompted. The following is an example:
NoteThe Common Name for the CA certificate must be unique. Do not use the same Common Name as the server or client certificates.
Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:bj Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:alibaba Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your servers hostname) []:root Email Address []:a.alibaba.com A challenge password []: An optional company name []: -
Run the following command to create the root certificate:
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650The output is similar to the following:

-
Run
lsto view the generated root certificateroot.crtand the private keyroot.key.
Step 3: Generate a client certificate
-
Run the following command to generate a private key for the client certificate:
-
Run the following command to generate a CSR file for the client certificate. Set Common Name to your domain name.
-
Run the following command to generate the client certificate:
-
Run the following command to convert the generated client certificate
client.crtinto a PKCS12 file that can be recognized by a browser. Follow the prompts to enter the encryption password that you set for the client private key. -
Run
lsto view the generated client certificate files:client.key,client.crt, andclient.p12.
openssl genrsa -out client.key 4096openssl req -new -out client.csr -key client.keyopenssl x509 -req -in client.csr -out client.crt -CA root.crt -CAkey root.key -CAcreateserial -days 3650openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12Step 4: Install the client certificate
Install the client certificate on the client.
Windows client
Double-click the client.p12 file and follow the Certificate Import Wizard to install it.
Linux client
Upload the client.key, client.crt, and root.crt files to any directory on your Linux client.
In this example, the directory is /home/ca. Run sudo chmod 700 /home/ca to modify the directory permissions.
Step 5: Upload the server certificate and the CA certificate
Log on to the CLB console.
-
In the left-side navigation pane, choose , and then click Add Certificate to upload the server certificate.
-
In the Add Certificate panel, click Third-party Certificates, configure the following parameters, and then click Create.
Parameter
Description
Certificate Name
Enter a name for the certificate.
Certificate Type
Select Server Certificate.
Public key certificate
The content of the server certificate. Paste the content to the editor.
Private Key
The private key of the server certificate. Paste the private key to the editor.
Region
Select the region of the CLB instance.
-
On the Certificates page, click Add Certificate to upload the CA certificate.
-
In the Add Certificate panel, click Third-party Certificates, configure the following parameters, and then click Create.
Parameter
Description
Certificate Name
Enter a name for the certificate.
Certificate Type
Select CA Certificate.
Client CA Certificate
Upload the public key certificate of the client.
Region
Select the region of the CLB instance.
Step 6: Configure mutual authentication on an HTTPS listener
CLB rejects requests from clients without an installed certificate. If your CLB instance is in a production environment, test this configuration in a staging environment first. Alternatively, use a new listening port to avoid disrupting existing services.
-
Log on to the Classic Load Balancer console.
-
Click the ID of the CLB instance that you created.
-
On the Listeners tab, click Add Listener.
-
On the Protocol & Listener tab, configure the following parameters, and then click Next.
-
Select Listener Protocol: HTTPS
-
Listener Port: 443
-
-
On the Certificate Management Service tab, select the server certificate that you uploaded.
-
Click Modify next to Advanced Settings, enable mutual authentication, select the uploaded CA certificate, and then click Next.
-
Select Default Server Group and click Add to add backend servers.
-
Accept the default values for the remaining parameters, clicking Next to proceed through the wizard. On the final page, click Submit to create the listener.
Step 7: Test the mutual authentication feature
Windows client
-
In a browser, enter
https://ip:port, where ip is the public IP address of the CLB. In the dialog box that appears, confirm the certificate as prompted. Refresh the web page. You can find that the requests are evenly distributed to the backend servers.


Linux client
Log on to the Linux client where the certificates are installed and run the following command to verify the CLB mutual authentication:
sudo curl --cert /home/ca/client.crt --key /home/ca/client.key --cacert /home/ca/root.crt https://<the domain name on the server certificate>:<port>
If the following echo reply packet is returned, the client and the server have completed mutual authentication and requests are distributed to the ECS instances.