Use a non AWS issued certificate for API Gateway with mTLS

Thank you for the link, but i'm afraid that doesn't answer my question

Can we answer why this is needed? and if we are able to use our imported public certificate as the OwnershipVerificationCertificate

Hello,

API Gateway mandates the provision of an "ownership verification certificate" alongside the server certificate. This certificate is exclusively utilized to confirm domain ownership and isn't involved in the TLS handshake process. This certificate must be issued by an AWS-trusted certificate authority such as ACM. Even if a publicly-trusted certificate is employed for the server, API Gateway requires the ownership certificate to validate domain control. It's important to note that the ownership certificate is distinct from the server/client certificates utilized in the TLS handshake and is solely utilized to demonstrate domain ownership to API Gateway.

I hope this one provides more clarity to you

Thanks

Thanks for responding

Just to confirm, when you say "This certificate must be issued by an AWS-trusted certificate authority such as ACM", that i'm able to use an imported (i.e. not issued by ACM) a publicly trusted certificate to ACM for the "ownership verification certificate"? but it can't be the same cert as the one used for TLS?

I've tried doing this, but still getting the following error: "BadRequestException: Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate."

Is this a problem with the cert i'm trying to import?

Thanks

I'd also be interested to know why the "ownership verification certificate" is only required when mTLS is enabled, i don't understand why mTLS would require the domain be validated

Would anyone be able to help with this?

Thanks David

AWS requires the creation of an 'ownershipVerificationCertificate' in order to prove that the user of the certificate actually has management authority of the DNS domain that issued the imported certificate for the custom domain. This makes it much harder for a bad actor without domain control for a DNS domain from using a stolen certificate set to stand up false services impersonating a real site. What they mean when they refer to 'ownershipVerificationCertificate' is 'a new certificate created using the pre-existing verification workflow used by ACM for issuing private domain certificates'.

When a custom domain for which AWS is not the issuing certificate authority is specified in a Certificate Request, AWS requires that the domain be validated. The two mechanisms AWS uses for validation are either through the creation of a unique CNAME within the issuing domain (a DNS TXT record would be less difficult, and is what Google, LetsEncrypt and most other issuers ask for instead) or through an email exchange with the controller of the authoritative email account specified by the domain owner when the domain was created. So, AWS is requiring that in order to use an imported certificate that not only do you possess the certificate, but that you are able to create a new certificate or alternately, that you have access to the authoritative email accounts associated with the domain in order to prove that you're a legitimate certificate owner. The only needs to be done once, not for each imported certificate, and the new ACM certificate used to verify ownership can then be reused for each new mTLS implementation.

Hello,

Check the following links for more details - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html

Thanks