Use a non AWS issued certificate for API Gateway with mTLS

0

Hello

I want to use an imported certificate for TLS for my custom domain in API Gateway, and enable mTLS The environment is all configured with Terraform I've imported the certificate into ACM (Publically trusted cert), but i can't enable mTLS without using a OwnershipVerificationCertificate, which it seems can only be issued by AWS

Why is this needed only when mTLS is selected, it doesn't seem to have any bearing on domain ownership if we use mTLS or not? Can you not use the pubicaly trusted certificate imported into ACM, as that is already proof that we control the domain

The issue for us, is this will then put a manual step in to renew this OwnershipVerificationCertificate certificate, which of course will need to be monitored for expiry (the imported certs use ACME to renew, so can be automated)

Hopefully i'm not understanding this fully, else it seems unnecessarily complex

7 Respuestas
0

Thank you for the link, but i'm afraid that doesn't answer my question

Can we answer why this is needed? and if we are able to use our imported public certificate as the OwnershipVerificationCertificate

respondido hace 3 meses
0

Hello,

API Gateway mandates the provision of an "ownership verification certificate" alongside the server certificate. This certificate is exclusively utilized to confirm domain ownership and isn't involved in the TLS handshake process. This certificate must be issued by an AWS-trusted certificate authority such as ACM. Even if a publicly-trusted certificate is employed for the server, API Gateway requires the ownership certificate to validate domain control. It's important to note that the ownership certificate is distinct from the server/client certificates utilized in the TLS handshake and is solely utilized to demonstrate domain ownership to API Gateway.

I hope this one provides more clarity to you

Thanks

respondido hace 3 meses
0

Thanks for responding

Just to confirm, when you say "This certificate must be issued by an AWS-trusted certificate authority such as ACM", that i'm able to use an imported (i.e. not issued by ACM) a publicly trusted certificate to ACM for the "ownership verification certificate"? but it can't be the same cert as the one used for TLS?

I've tried doing this, but still getting the following error: "BadRequestException: Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate."

Is this a problem with the cert i'm trying to import?

Thanks

respondido hace 3 meses
0

I'd also be interested to know why the "ownership verification certificate" is only required when mTLS is enabled, i don't understand why mTLS would require the domain be validated

respondido hace 3 meses
0

Would anyone be able to help with this?

Thanks David

respondido hace 3 meses
0

AWS requires the creation of an 'ownershipVerificationCertificate' in order to prove that the user of the certificate actually has management authority of the DNS domain that issued the imported certificate for the custom domain. This makes it much harder for a bad actor without domain control for a DNS domain from using a stolen certificate set to stand up false services impersonating a real site. What they mean when they refer to 'ownershipVerificationCertificate' is 'a new certificate created using the pre-existing verification workflow used by ACM for issuing private domain certificates'.

When a custom domain for which AWS is not the issuing certificate authority is specified in a Certificate Request, AWS requires that the domain be validated. The two mechanisms AWS uses for validation are either through the creation of a unique CNAME within the issuing domain (a DNS TXT record would be less difficult, and is what Google, LetsEncrypt and most other issuers ask for instead) or through an email exchange with the controller of the authoritative email account specified by the domain owner when the domain was created. So, AWS is requiring that in order to use an imported certificate that not only do you possess the certificate, but that you are able to create a new certificate or alternately, that you have access to the authoritative email accounts associated with the domain in order to prove that you're a legitimate certificate owner. The only needs to be done once, not for each imported certificate, and the new ACM certificate used to verify ownership can then be reused for each new mTLS implementation.

respondido hace 12 días

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas