AWS API Gateway - Use Client-Side SSL Certificates

0
votes

I am trying to test API Gateway certificates locally to provide a proof of concept with no luck.

I have created a localhost IIS server and configured it up using the following help pages (provided by AWS support team):

In a nutshell, my IIS is setup to use a test website, that has

  • Anonymous access disabled
  • SSL settings set to required
  • Configuration editor configured to contain iisClientCertificateMappingAuthentication (as per above document)
  • The site itself is setup to use a server certificate of the built in IIS Express Development Certificate

Attempting to access the site directly give me the expected result of:

enter image description here

I then generate a new certificate from our API Gateway

enter image description here

I save this certificate's key (copy / paste) to a .cer file (I have also tried .pem and .crt files)

I then try calling the same https://localhost:8000 passing the certificate via the following applications:

  • Postman
  • Fiddler
  • cURL

All unsuccessful - the results I get from Postman are:

enter image description here

NOTE: I've since learnt this error is driven by the fact that the postman native app requires both a CRT file and KEY file for certificates (API Gateway only give me the crt file).

Command and result from cURL is:

curl --cert 'C:.pemPath' https://localhost:8000

  • A positional parameter cannot be found that accepts argument 'C:.pemPath'.

Some reference pages that I've used for help to date (there are a few more not added):

Anyone got some ideas?

1
amazon-web-servicescurliishttpsaws-api-gateway
Create your own cert and key, for testing. API Gateway keeps the private key private, to itself, so testing with the same certificate it will be using isn't possible, by design. - Michael - sqlbot
@Michael-sqlbot Thanks for the suggestion, i might have missed something however, I created a new key and certificate via openSSL (ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/…) I then edited my IIS configuration editor and updated the certificate entry path to the new .crt file. I then tried through postman and still get a 403 forbidden? - Hexie
I have also since tried following this thread: datacenteroverlords.com/2012/03/01/… with the same result, constant 403 forbidden issues? - Hexie
Since I have not worked with IIS in a number of years, I don't know how it is configured... but where I think you are going off-track is that you're following tutorials for mutual auth that are targeted to a different objective. The "CA" file on the server should be the certificate provided to you by API Gateway. The certificate serves as its own authority for reasons that are simple in principle but somewhat complicated to explain. The certificate and key on the server need to be a cert you purchase from an external provider, or obtain from Let's Encrypt. - Michael - sqlbot

1 Answers

2
votes

is testing against IIS a necessity? i've done similar exercise recently with nginx:

1) set up Ngnix server on AWS EC2 Instance. https://www.nginx.com/blog/setting-up-nginx/

2) install free SSL certificates from LetsEncrypt. https://certbot.eff.org/#ubuntuxenial-nginx ubuntu@host:~$ sudo certbot --nginx

3) upload AWS API Gateway generated Certificate (API Gateway > Client Certificates > Copy).

4) Configure Nginx to enable client ssl Authentication ssl_client_certificate and ssl_verify_client

ubuntu@host:/etc/nginx$ cat nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    server {
        listen 80;
        server_name your-domain.com;

        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        root /usr/share/nginx/html;
        ssl_client_certificate /home/ubuntu/client.crt; # this file should contain Client Certificate
        ssl_verify_client on;
        index index.html;
    }

    include /etc/nginx/conf.d/*.conf;
}

and this is the behavior

# when no certificate provider (direct call to backend)
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>

# via api gateway with valid client certificate
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

#via api gateway with invalid client certificate
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>