- Newest
- Most votes
- Most comments
It is recommended to use a Private Certificate Authority that you have control over. The ensures that only Clients that you have issued certificates to can connect to your service. Using a third party Public CA mean that ANY client that has a certificate issued by this CA will be able to connect to your service. Assuming the whole point of mtls is that you can trust the client, and know them then it must be a private CA that issued the cert.
If I'm reading this correctly, you're asking if the client certificate can be generated by a CA, not by AWS?
From the documentation: "You can use API Gateway to generate an SSL certificate and then use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway."
So Client Cert is downloaded to your system, to authenticate a request from AWS API Gateway... can you dig into why you'd want a separate trusted authority?
If you're asking about a non-AWS cert, you can upload that into AWS Certificate Manager
Relevant content
- asked a year ago
- asked 2 years ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated 6 months ago
If I understand the documentation link that you provided, this is for having the API Gateway itself provide a client certificate to some backend service though http (presumably using mTLS) ... what I am asking about is when external systems are talking to the API Gateway through mutual TLS. In this situation, it is these external systems that need to provide a client certificate to the API Gateway as documented here: https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html. As per this link, validation of the incoming client certs is via a truststore containing the appropriate CA(s) and it is these client certs that I am asking about here.
I think I'm with you now - thanks. If you want to restrict the custom API gateway domain to only your resources, make it a very tiny truststore (i.e. just your certs). If you want to let anyone ping your API gateway (think of some kind of a service provider), then you can open the truststore to any CA that you'd like. You'll want to evaluate your business case for API gateway (and all resources), in the lens of least privileges.
Can you clarify what exactly you mean by "make it a very tiny truststore (i.e. just your certs)"? As per the documentation I referenced above for setting up mTLS, you just put the relevant CA certs in the truststore ... so I can have a very 'tiny' truststore that only contains the single CA cert for some commercial CA, however, now any incoming request containing a client cert signed by that commercial CA would be allowed to pass through to my service? Can I somehow restrict it to only client certs that I have handed out from this commercial CA ... OR as I state in my original question, is the only way to do that by using self signed client certs?