I want to configure a certificate revocation list (CRL) for mutual TLS (mTLS) in Elastic Load Balancing (ELB).
Short description
When you use mTLS in your Application Load Balancer, you can authenticate clients with certificates from a third-party certificate authority (CA). Also, you can use AWS Private CA to authenticate clients with certificates. To revoke access to certificates, create a certificate revocation list (CRL) under the load balancing trust store.
Resolution
Note: For third-party certificate authorities, skip to the Upload the PEM-encoded CRL to the Amazon S3 bucket section of the following resolution.
To revoke client certificates that are issued on an AWS Private CA, complete the following steps:
Activate the CRL distribution option in the CA that issued the client certificate
To activate the CRL distribution option in the CA that issued the client certificate, complete the following steps:
- Open the AWS Private CA console.
- Select the certificate authority that issued the client certificate.
- Modify the Revocation configuration, and then turn on the CRL distribution option.
- To attach the required access policy, either create a new Amazon Simple Storage Service (Amazon S3) bucket or use an existing Amazon S3 bucket.
- To confirm that the acm-pca-permission-test file was created in your Amazon S3 bucket, create a text file. Create a text file that states This is a test file to check the access permissions of the bucket.
Revoke the certificates
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To revoke access from a client certificate, complete the following steps:
-
Locate and annotate the client certificate serial number. This serial number is used in the following steps.
openssl x509 -in client_certertificate.cert -text -noout | grep -A 1 "Serial Number"
-
(Optional) Locate the client certificate serial number in the Application Load Balancer connection logs field leaf_client_cert_serial_number.
-
To revoke the certificate access, use the acm-pca command:
Note: Replace example-arn-ca-issuer with the certificate authority ARN, example-cert-sn with the certificate serial number, and example-reason with your revocation reason.
aws acm-pca revoke-certificate \
--certificate-authority-arn <example-arn-ca-issuer> \
--certificate-serial <example-cert-sn> \
--revocation-reason "example-reason"
-
Repeat the preceding steps 2 and 3 for all client certificates that you want to revoke access.
Note: It takes up to 30 minutes for AWS Private CA to update the CRL in your Amazon S3 bucket after a certificate is revoked.
Convert the generated CRL
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To convert the generated CRL, complete the following steps:
-
Open the Amazon S3 console.
-
Download the CRL file from the Amazon S3 bucket that was previously used. Or, use the AWS CLI to list and download the Amazon S3 bucket to your working directory:
Note: Replace example-bucket with your Amazon S3 bucket and example-crl-file with the CRL file.
aws s3 ls s3://<example-bucket>/crl/
aws s3 cp s3://<example-bucket>/crl/<example-crl-file>.crl ./revoke_list.crl
-
Convert the encoding of the downloaded CRL file from DER to PEM:
openssl crl -in example-revoke-list.crl -inform DER -out revoke_list_in_pem.crl
Upload the PEM-encoded CRL to the Amazon S3 bucket
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To upload the PEM-encoded CRL to the Amazon S3 bucket, complete the following steps:
- Open the Amazon S3 console.
- Upload the CRL file to your Amazon S3 bucket. Or, use the AWS CLI to upload the CRL file to your working directory:
Note: Replace example-bucket with your Amazon S3 bucket.
aws s3 cp revoked_list_in_pem.crl s3://<example-bucket>/crl/revoked_list_in_pem.crl
Update the load balancing trust store revocation list with the CRL
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To update the load balancing trust store with the CRL, complete the following steps:
-
Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
-
Navigate to Trust Stores, and then choose the trust store that you want to update.
-
To add the revocation list, provide the Amazon S3 bucket URL of the CRL file that you want to add. Or, use the elbv2 command to update the trust store revocation:
Note: Replace example-trust-store-arn with the ARN of the trust store and example-bucket with the Amazon S3 bucket.
aws elbv2 add-trust-store-revocations \
--trust-store-arn <example-trust-store-arn> \
--revocation-contents S3Bucket=<example-bucket>,S3Key=/crl/revoked_list_in_pem.crl,RevocationType=CRL
-
To confirm that the CRL was applied, review the output to identify an increase in the number of revoked entries.
When a certificate revocation list is added to a trust store, it's given a revocation ID. The revocation IDs increase for every revocation list added to the trust store, and they can't be changed. If a certificate revocation list is deleted, then the revocation ID is also deleted and isn't reused for the life of the trust store.
Related information
Updating a CA's revocation configuration (console)
revoke-certificate
Revoking a private certificate
add-trust-store-revocations