Wednesday 27 April 2016

Setting up client SSL/TLS authnetication / certificate with NGINX / apache for the Amazon API Gateway

The Amazon API gateway has the ability to authenticate itself to a remote (back-end) API. This comes in very handy as in order for your back-end API to work with the Amazon API gateway you will need to make your site accessible to the entire AWS netblock for your region in order for it to function correctly.

Fortunately NGINX makes this process very easy - when setting up a client certificate on NGINX we must also ensure (as usual) that the relevant server key and certificates are defined and then add the 'ssl_client_certificate' which should point to the public key provided by the Amazon API Gateway portal.
ssl_certificate      /etc/nginx/certs/server.pem;
ssl_certificate_key  /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.pem;
ssl_verify_client on;

On apache / httpd you will need something like the following:

SSLVerifyClient require
SSLCACertificateFile /etc/nginx/certs/ca.pem


Post a Comment