AWS API Gateway gives 'More than one client certificate passed' error

0
votes

I have set up Mutual TLS authentication for my API Gateway. I then placed my client certificate in the truststore. The file contains the client certificate, intermediate and root certificates (private CA).

When accessing the API Gateway with a browser (Chrome on Windows), browser asks me to provide client certificate. I select the same certificate as I have placed in the trust store.

API Gateway reports the following in the browser:

{"message":"Invalid client certificate chain. More than one client certificate passed"}

UPDATE: I have also tried placing only intermediate and root certs in the trust store. Same error.

UPDATE 2: The same error is also reported when accessing the API with C# code (WebClient) loading the cert from Windows cert store or from disc (pfx file).

1
amazon-web-servicessslclient-certificatesamazon-api-gateway

1 Answers

0
votes

If your trust store doesn't contain all the intermediate CA certs, then the client has to send a multi-cert chain. The TLS handshake will work fine, but somewhere there is an explicit check that disallows multi-cert chains. The status code is 400, not 403(!), and you get the "More than one client certificate passed" error.

However, if you're willing to put all the intermediate CA in the API gateway trust store, then the server should not ask the client to send intermediate certs. The client should only send one cert in this case, and API gateway should work.

So something is going wrong when API gateway matches the initial client cert against the trust store, and it's not finding the intermediate. I would check these things:

  1. Make sure you use a specific version ID with the S3 link to the trust store. Otherwise it's hard to tell which version it's actually using, because the API gateway will not automatically pick up a new version as soon as you add one to S3. Maybe you're not using the trust store you think you are.

  2. Your trust store should only include CA certs -- the root cert and intermediates. You said you put the client cert in there, so maybe that's causing an issue. Try taking it out.