Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Use a non AWS issued certificate for API Gateway with mTLS

0

Hello

I want to use an imported certificate for TLS for my custom domain in API Gateway, and enable mTLS The environment is all configured with Terraform I've imported the certificate into ACM (Publically trusted cert), but i can't enable mTLS without using a OwnershipVerificationCertificate, which it seems can only be issued by AWS

Why is this needed only when mTLS is selected, it doesn't seem to have any bearing on domain ownership if we use mTLS or not? Can you not use the pubicaly trusted certificate imported into ACM, as that is already proof that we control the domain

The issue for us, is this will then put a manual step in to renew this OwnershipVerificationCertificate certificate, which of course will need to be monitored for expiry (the imported certs use ACME to renew, so can be automated)

Hopefully i'm not understanding this fully, else it seems unnecessarily complex

Temas
Sin servidorWeb y móvil front-endRedes y entrega de contenidoSeguridad, identidad y cumplimiento
Etiquetas
Amazon API GatewayAWS Certificate Manager
Idioma
English
David King
preguntada hace 3 meses211 visualizaciones
6 Respuestas
0

Hello,

Check the following links for more details - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-mutual-tls.html https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html

Thanks

Abhinav Chauhan
respondido hace 3 meses
0

Thank you for the link, but i'm afraid that doesn't answer my question

Can we answer why this is needed? and if we are able to use our imported public certificate as the OwnershipVerificationCertificate

David King
respondido hace 3 meses
0

Hello,

API Gateway mandates the provision of an "ownership verification certificate" alongside the server certificate. This certificate is exclusively utilized to confirm domain ownership and isn't involved in the TLS handshake process. This certificate must be issued by an AWS-trusted certificate authority such as ACM. Even if a publicly-trusted certificate is employed for the server, API Gateway requires the ownership certificate to validate domain control. It's important to note that the ownership certificate is distinct from the server/client certificates utilized in the TLS handshake and is solely utilized to demonstrate domain ownership to API Gateway.

I hope this one provides more clarity to you

Thanks

Abhinav Chauhan
respondido hace 3 meses
0

Thanks for responding

Just to confirm, when you say "This certificate must be issued by an AWS-trusted certificate authority such as ACM", that i'm able to use an imported (i.e. not issued by ACM) a publicly trusted certificate to ACM for the "ownership verification certificate"? but it can't be the same cert as the one used for TLS?

I've tried doing this, but still getting the following error: "BadRequestException: Invalid ownershipVerificationCertificate. OwnershipVerificationCertificate should be a public ACM certificate."

Is this a problem with the cert i'm trying to import?

Thanks

David King
respondido hace 3 meses
0

I'd also be interested to know why the "ownership verification certificate" is only required when mTLS is enabled, i don't understand why mTLS would require the domain be validated

David King
respondido hace 3 meses
0

Would anyone be able to help with this?

Thanks David

David King
respondido hace 3 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante