How can I use a client certificate issued by a third party when configuring mutual TLS authentication for API Gateway APIs?
Last updated: 2022-12-16
I want to use a client certificate issued by a third party when configuring mutual Transport Layer Security (TLS) authentication for Amazon API Gateway APIs.
Resolution
To use a third-party signed client certificate for API Gateway with TLS authentication, follow these steps:
- Create a truststore to use the third-party signed certificate.
- Create a custom domain name and API mapping for your API Gateway API.
- Create a DNS record to map the custom domain name to API Gateway.
-
Disable the default endpoint.
- Test the API.
Note:
- If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
-
Mutual TLS isn't supported for private APIs.
Create a truststore to use the third-party signed certificate
1. Generate a RootCA. The RootCA is used to issue the client certificate.
openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem
2. Fill in the required fields, and enter domain name.
3. Create a client certificate private key, certificate signing request (CSR), and client certificate.
openssl genrsa -out my_client.key 2048
openssl req -new -key my_client.key -out my_client.csr
4. Sign the client certificate using the CA that you created previously.
openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256
5. Create an Amazon Simple Storage Service (Amazon S3) bucket to store the truststore.pem file.
6. Upload the RootCA.pem to the Amazon S3 bucket truststore.
7. (Optional) Create a certificate chain file from the intermediate CA certificate to Root CA.
Cat Intermediate.pem ca.pem >ca-chain.pem.
For more information, see Configuring your truststore.
Create a custom domain name and API mapping for your API Gateway API
Note: Only certificates with a key size of 2048 bits are visible with API Gateway. The certificate size can't exceed 2048 bits.
1. Open the API Gateway console, and then choose Custom domain names .
2. For Domain names , enter your domain name, and then choose Create .
3. For Domain name , enter your domain name.
4. For Minimum TLS version , choose TLS 1.2 .
5. Enable Mutual TLS authentication .
6. For Truststore URI , enter the Amazon S3 URI that you created earlier.
7. For Endpoint configuration , choose Regional .
8. For Certificate type , choose your certificate type, and then choose Create domain name .
9. Choose your custom domain name, and then choose Configure API mappings .
10. Choose Add new mapping .
11. Choose the
API
,
Stage
, and
Path
for the mapping, and then choose
Save
.
For more information, see How can I set up a custom domain name for my API Gateway API?
Create a DNS record to map the custom domain name to API Gateway
Create a DNS record to point the custom domain name to the API Gateway Regional domain name. This allows the traffic that's bound to the custom domain name to be routed to the API's Regional hostname. The DNS record can be the CNAME or "A Alias" type.
For more information, see Configuring Route 53 to route traffic to an API Gateway endpoint.
Disable the default endpoint
By default, clients can invoke APIs using the execute-api endpoint that API Gateway generates for your API. Disable the default execute-api endpoint so that clients can access your API using only a custom domain name.
For HTTP APIs, see Disabling the default endpoint for an HTTP API.
For REST APIs, see Disabling the default endpoint for a REST API.
Test the API
Test the API with the --key and --cert parameters to send the client certificate as part of the request.
$ curl -v https://{YourCustomDomainName}/{resource} --key my_client.key --cert my_client.pem
Note: The private key my_client.key and the client certificate my_client.pem must be included for a successful request.
Related information
How can I troubleshoot certificate chain and self-signed certificate issues for Amazon API Gateway with custom domains and mutual TLS enabled?
Introducing mutual TLS authentication for Amazon API Gateway
How do I troubleshoot HTTP 403 Forbidden errors from an API Gateway custom domain name that requires mutual TLS?
Did this article help?
Do you need billing or technical support?