Mutual authentication with TLS in Application Load Balancer - Elastic Load Balancing
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Mutual authentication with TLS in Application Load Balancer

Mutual TLS authentication is a variation of transport layer security (TLS). Traditional TLS establishes secure communications between a server and client, where the server needs to provide its identity to its clients. With mutual TLS, a load balancer negotiates mutual authentication between the client and the server while negotiating TLS. When you use mutual TLS with Application Load Balancer, you simplify authentication management and reduce the load on your applications.

By using mutual TLS with Application Load Balancer, your load balancer can manage client authentication to help ensure that only trusted clients communicate with your backend applications. When you use this feature, Application Load Balancer authenticates clients with certificates from third-party certificate authority (CA) or by using the Amazon Private Certificate Authority (PCA), optionally, with revocation checks. Application Load Balancer passes on client certificate information to the backend, which your applications can use for authorization. By using mutual TLS in Application Load Balancer, you can get built-in, scalable, managed authentication for certificate-based entities, that uses established libraries.

Mutual TLS for Application Load Balancers provides the following two options for validating your X.509v3 client certificates:

Note: X.509v1 client certificates are not supported.

  • Mutual TLS passthrough: When you use mutual TLS passthrough mode, Application Load Balancer sends the whole client certificate chain to the target using HTTP headers. Then, by using the client certificate chain, you can implement corresponding authentication and authorization logic in your application.

  • Mutual TLS verify: When you use mutual TLS verify mode, Application Load Balancer performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections.

To get started with mutual TLS in Application Load Balancer using passthrough, you only need to configure the listener to accept any certificates from clients. To use mutual TLS with verfication, you must do the following:

  • Create a new trust store resource.

  • Upload your certificate authority (CA) bundle and, optionally, revocation lists.

  • Attach the trust store to the listener that is configured to verify client certificates.

For step-by-step procedures to configure mutual TLS verify mode with your Application Load Balancer, see Configuring mutual TLS on an Application Load Balancer.

Before you begin configuring mutual TLS on your Application Load Balancer

Before you begin configuring mutual TLS on your Application Load Balancer, be aware of the following:

Quotas

Application Load Balancers include certain limits related to the amount of trust stores, CA certificates, and certificate revocation lists in use within your Amazon account.

For more information, see Quotas for your Application Load Balancers.

Requirements for certificates

Application Load Balancers support the following for certificates used with mutual TLS authentication:

  • Supported certificate: X.509v3

  • Supported public keys: RSA 2K – 8K or ECDSA secp256r1, secp384r1, secp521r1

  • Supported signature algorithms: SHA256, 384, 512 with RSA/SHA256, 384, 512 with EC/SHA256,384,512 hash with RSASSA-PSS with MGF1

CA certificate bundles

The following applies to certificate authority (CA) bundles:

  • Application Load Balancers upload each certificate authority (CA) certificate bundle as a batch. Application Load Balancers don't support uploading individual certificates. If you need to add new certificates, you must upload the certificates bundle file.

  • To replace a CA certificate bundle, use the ModifyTrustStore API.

Certificate order for passthrough

When you use mutual TLS passthrough, the Application Load Balancer inserts headers to present the clients certificate chain to the backend targets. The order of presentation starts with the leaf certificates and finishes with the root certificate.

Session resumption

Session resumption is not supported while using mutual TLS passthrough or verify modes with an Application Load Balancer.

HTTP headers

Application Load Balancers use X-Amzn-Mtls headers to send certificate information when it negotiates client connections using mutual TLS. For more information and example headers, see HTTP headers and mutual TLS.

CA certificate files

CA certificate files must satisfy the following requirements:

  • Certificate file must use PEM (Privacy Enhanced Mail) format.

  • Certificate contents must be enclosed within the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- boundaries.

  • Comments must be preceded by a # character.

  • There cannot be any blank lines.

Example certificate that is not accepted (invalid):

# comments Certificate: Data: Version: 3 (0x2) Serial Number: 01 Signature Algorithm: ecdsa-with-SHA384 Issuer: C=US, O=EXAMPLE, OU=EXAMPLE, CN=EXAMPLE Validity Not Before: Jan 11 23:57:57 2024 GMT Not After : Jan 10 00:57:57 2029 GMT Subject: C=US, O=EXAMPLE, OU=EXAMPLE, CN=EXAMPLE Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 00:01:02:03:04:05:06:07:08 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 00:01:02:03:04:05:06:07:08 X509v3 Subject Alternative Name: URI:EXAMPLE.COM Signature Algorithm: ecdsa-with-SHA384 00:01:02:03:04:05:06:07:08 -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE-----

Example certificates that are accepted (valid):

  1. Single certificate (PEM–encoded):

    # comments -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE-----
  2. Multiple certificates (PEM–encoded):

    # comments -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- # comments -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Base64–encoded certificate -----END CERTIFICATE-----

HTTP headers and mutual TLS

This section describes the HTTP headers that Application Load Balancers use to send certificate information when negotiating connections with clients using mutual TLS. The specific X-Amzn-Mtls headers that the Application Load Balancer uses depends on the mutual TLS mode that you've specified: passthrough mode or verify mode.

For information about other HTTP headers supported by Application Load Balancers, see HTTP headers and Application Load Balancers.

HTTP header for passthrough mode

For mutual TLS in passthrough mode, Application Load Balancers use the following header.

This header contains the URL-encoded PEM format of the entire client certificate chain presented in the connection, with +=/ as safe characters.

Example header contents:

X-Amzn-Mtls-Clientcert: -----BEGIN%20CERTIFICATE-----%0AMIID<...reduced...>do0g%3D%3D%0A-----END%20CERTIFICATE-----%0A-----BEGIN%20CERTIFICATE-----%0AMIID1<...reduced...>3eZlyKA%3D%3D%0A-----END%20CERTIFICATE-----%0A

HTTP headers for verify mode

For mutual TLS in verify mode, Application Load Balancers use the following headers.

This header contains a hexadecimal representation of the leaf certificate serial number.

Example header contents:

X-Amzn-Mtls-Clientcert-Serial-Number: 03A5B1

This header contains an RFC2253 string representation of the issuer's distinguished name (DN).

Example header contents:

X-Amzn-Mtls-Clientcert-Issuer: CN=rootcamtls.com,OU=rootCA,O=mTLS,L=Seattle,ST=Washington,C=US

This header contains an RFC2253 string representation of the subject's distinguished name (DN).

Example header contents:

X-Amzn-Mtls-Clientcert-Subject: CN=client_.com,OU=client-3,O=mTLS,ST=Washington,C=US

This header contains an ISO8601 format of the notBefore and notAfter date.

Example header contents:

X-Amzn-Mtls-Clientcert-Validity: NotBefore=2023-09-21T01:50:17Z;NotAfter=2024-09-20T01:50:17Z

This header contains a URL-encoded PEM format of the leaf certificate, with +=/ as safe characters.

Example header contents:

X-Amzn-Mtls-Clientcert-Leaf: -----BEGIN%20CERTIFICATE-----%0AMIIG<...reduced...>NmrUlw%0A-----END%20CERTIFICATE-----%0A

Configuring mutual TLS on an Application Load Balancer

This section includes the procedures for configuring mutual TLS verify mode for authentication on Application Load Balancers.

To use mutual TLS passthrough mode, you only need to configure the listener to accept any certificates from clients. When you use mutual TLS passthrough, the Application Load Balancer sends the whole client certificate chain to the target using HTTP headers, which enables you to implement corresponding authentication and authorization logic in your application. For more information, see Create an HTTPS listener for your Application Load Balancer.

When you use mutual TLS in verify mode, the Application Load Balancer performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections.

To utilize mutual TLS verify mode, perform the following:

  • Create a new trust store resource.

  • Upload your certificate authority (CA) bundle and, optionally, revocation lists.

  • Attach the trust store to the listener that is configured to verify client certificates.

Follow the procedures in this section to configure mutual TLS verify mode on your Application Load Balancer in the Amazon Web Services Management Console. To configure mutual TLS by using API operations instead of the console, see the Application Load Balancer API Reference Guide.

Create a trust store

There are three ways that you can create a trust store: when you create an Application Load Balancer, when you create a secure listener, and by using the Trust Store console. When you add a trust store when you create a load balancer or listener, the trust store is automatically associated with the new listener. When you create a trust store by using the Trust Store console, you must associate it with a listener yourself.

This section covers creating a trust store using the Trust Store console, but the steps used while creating an Application Load Balancer or listener are the same. For more info, see Configure a load balancer and a listener and Add an HTTPS listener.

Prerequisites:
  • To create a trust store, you must have a certificate bundle from your Certificate Authority (CA).

To create a trust store using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select Create trust store.

  4. Trust store configuration

    1. For Trust store name enter a name for your trust store.

    2. For Certificate authority bundle enter the Amazon S3 path to the ca certificate bundle you want your trust store to use.

      Optional: Use Object version to select a previous version of the ca certificate bundle. Otherwise the current version is used.

  5. For Revocations you can optionally add a certificate revocation list to your trust store.

    1. Under Certificate revocation list enter the Amazon S3 path to the certificate revocation list you want your trust store to use.

      Optional: Use Object version to select a previous version of the certificate revocation list. Otherwise the current version is used.

  6. For Trust store tags you can optionally enter up to 50 tags to apply to your trust store.

  7. Select Create trust store.

Associate a trust store

After you create a trust store, you must associate it with a listener before your Application Load Balancer can begin using the trust store. You can have only one trust store associated to each of your secure listeners, but one trust store can be associated to multiple listeners.

This section covers associating a trust store to an existing listener. Alternatively, you can associate a trust store while creating an Application Load Balancer or listener. For more info, see Configure a load balancer and a listener and Add an HTTPS listener.

To associate a trust store using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Load Balancers.

  3. Select the load balancer to view its details page.

  4. On the Listeners and rules tab, choose the link in the Protocol:Port column to open the details page for the secure listener.

  5. On the Security tab, choose Edit secure listener settings.

  6. (Optional) If mutual TLS is not enabled, select Mutual authentication (mTLS) under Client certificate handling and then choose Verify with trust store.

  7. Under Trust store, choose the trust store that you created.

  8. Choose Save changes.

View trust store details

CA certificate bundles

The CA certificate bundle is a required component of the trust store. It's a collection of trusted root and intermediate certificates that have been validated by a certificate authority. These validated certificates ensure the client can trust the certificate being presented is owned by the load balancer.

You can view the contents of the current CA certificate bundle in your trust store at any time.

View a CA certificate bundle
To view a CA certificate bundle using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select the trust store to view the details page.

  4. Choose Actions, then Get CA bundle.

  5. Choose Share link, or Download.

Certificate revocation lists

Optionally, you can create a certificate revocation list for a trust store. Revocation lists are released by certificate authorities and contain data for certificates that have been revoked. Application Load Balancers only support certificate revocation lists in the PEM format.

When a certificate revocation list is added to a trust store, it's given a revocation ID. The revocation IDs increase for every revocation list added to the trust store, and they cannot be changed. If a certificate revocation list is deleted from a trust store, it's revocation ID is also deleted and is not reused for the life of the trust store.

Note

Application Load Balancers cannot revoke certificates that have a negative serial number, within a certificate revocation list.

View a certificate revocation list
To view a revocation list using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select the trust store to view the details page.

  4. On the Certificate revocation lists tab, select Actions, then Get revocation list.

  5. Choose Share link, or Download.

Modify a trust store

A trust store can only contain one CA certificate bundle at a time, but you can replace the CA certificate bundle at any time after the trust store is created.

Replace a CA certificate bundle

To replace a CA certificate bundle using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select the trust store to view the details page.

  4. Choose Actions, then Replace CA bundle.

  5. On the Replace CA bundle page, under Certificate authority bundle enter the Amazon S3 location of the desired CA bundle.

  6. (Optional) Use Object version to select a previous version of the certificate revocation list. Otherwise the current version is used.

  7. Select Replace CA bundle.

Add a certificate revocation list

To add a revocation list using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select the trust store to view it's details page.

  4. On the Certificate revocation lists tab, select Actions, then Add revocation list.

  5. On the Add revocation list page, under Certificate revocation list enter the Amazon S3 location of the desired certificate revocation list

  6. (Optional) Use Object version to select a previous version of the certificate revocation list. Otherwise the current version is used.

  7. Select Add revocation list

Delete a certificate revocation list

To delete a revocation list using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select the trust store to view the details page.

  4. On the Certificate revocation lists tab, select Actions, then Delete revocation list.

  5. Confirm the deletion by typing confirm.

  6. Select Delete.

Delete a trust store

When you no longer have use for a trust store, you can delete it.

Note: You cannot delete a trust store that is currently associated with a listener.

To delete a trust store using the console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. On the navigation pane, choose Trust Stores.

  3. Select the trust store to view it's details page.

  4. Choose Actions, then Delete trust store.

  5. Confirm the deletion by typing confirm.

  6. Select Delete

Connection logs for Application Load Balancers

Elastic Load Balancing provides connection logs that capture attributes about the requests sent to your Application Load Balancers. Connection logs contain information such as the client IP address and port, client certificate information, connection results, and TLS ciphers being used. These connection logs can then be used to review request patterns, and other trends.

To learn more about connection logs, see Connection logs for your Application Load Balancer