Generate and configure an SSL certificate for backend authentication - Amazon API Gateway

Generate and configure an SSL certificate for backend authentication

You can use API Gateway to generate an SSL certificate and then use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway. This allows your HTTP backend to control and accept only requests that originate from Amazon API Gateway, even if the backend is publicly accessible.

Note

Some backend servers might not support SSL client authentication as API Gateway does and could return an SSL certificate error. For a list of incompatible backend servers, see Amazon API Gateway important notes.

The SSL certificates that are generated by API Gateway are self-signed, and only the public key of a certificate is visible in the API Gateway console or through the APIs.

Generate a client certificate using the API Gateway console

  1. Open the API Gateway console at https://console.aws.amazon.com/apigateway/.

  2. Choose a REST API.

  3. In the main navigation pane, choose Client certificates.

  4. From the Client certificates page, choose Generate certificate.

  5. (Optional) For Description, enter a description.

  6. Choose Generate certificate to generate the certificate. API Gateway generates a new certificate and returns the new certificate GUID, along with the PEM-encoded public key.

You're now ready to configure an API to use the certificate.

Configure an API to use SSL certificates

These instructions assume that you already completed Generate a client certificate using the API Gateway console.

  1. In the API Gateway console, create or open an API for which you want to use the client certificate. Make sure that the API has been deployed to a stage.

  2. In the main navigation pane, choose Stages.

  3. In the Stage details section, choose Edit.

  4. For Client certificate, select a certificate.

  5. Choose Save changes.

    If the API has been deployed previously in the API Gateway console, you'll need to redeploy it for the changes to take effect. For more information, see Redeploy a REST API to a stage.

After a certificate is selected for the API and saved, API Gateway uses the certificate for all calls to HTTP integrations in your API.

Test invoke to verify the client certificate configuration

  1. Choose an API method. Choose the Test tab. You might need to choose the right arrow button to show the Test tab.

  2. For Client certificate, select a certificate.

  3. Choose Test.

API Gateway presents the chosen SSL certificate for the HTTP backend to authenticate the API.

Configure a backend HTTPS server to verify the client certificate

These instructions assume that you already completed Generate a client certificate using the API Gateway console and downloaded a copy of the client certificate. You can download a client certificate by calling clientcertificate:by-id of the API Gateway REST API or get-client-certificate of AWS CLI.

Before configuring a backend HTTPS server to verify the client SSL certificate of API Gateway, you must have obtained the PEM-encoded private key and a server-side certificate that is provided by a trusted certificate authority.

If the server domain name is myserver.mydomain.com, the server certificate's CNAME value must be myserver.mydomain.com or *.mydomain.com.

Supported certificate authorities include Let's Encrypt or one of API Gateway-supported certificate authorities for HTTP and HTTP proxy integrations.

As an example, suppose that the client certificate file is apig-cert.pem and the server private key and certificate files are server-key.pem and server-cert.pem, respectively. For a Node.js server in the backend, you can configure the server similar to the following:

var fs = require('fs'); var https = require('https'); var options = { key: fs.readFileSync('server-key.pem'), cert: fs.readFileSync('server-cert.pem'), ca: fs.readFileSync('apig-cert.pem'), requestCert: true, rejectUnauthorized: true }; https.createServer(options, function (req, res) { res.writeHead(200); res.end("hello world\n"); }).listen(443);

For a node-express app, you can use the client-certificate-auth modules to authenticate client requests with PEM-encoded certificates.

For other HTTPS server, see the documentation for the server.

Rotate an expiring client certificate

The client certificate generated by API Gateway is valid for 365 days. You must rotate the certificate before a client certificate on an API stage expires to avoid any downtime for the API. You can check the expiration date of certificate by calling clientCertificate:by-id of the API Gateway REST API or the AWS CLI command of get-client-certificate and inspecting the returned expirationDate property.

To rotate a client certificate, do the following:

  1. Generate a new client certificate by calling clientcertificate:generate of the API Gateway REST API or the AWS CLI command of generate-client-certificate. In this tutorial, we assume that the new client certificate ID is ndiqef.

  2. Update the backend server to include the new client certificate. Don't remove the existing client certificate yet.

    Some servers might require a restart to finish the update. Consult the server documentation to see if you must restart the server during the update.

  3. Update the API stage to use the new client certificate by calling stage:update of the API Gateway REST API, with the new client certificate ID (ndiqef):

    PATCH /restapis/{restapi-id}/stages/stage1 HTTP/1.1 Content-Type: application/json Host: apigateway.us-east-1.amazonaws.com X-Amz-Date: 20170603T200400Z Authorization: AWS4-HMAC-SHA256 Credential=... { "patchOperations" : [ { "op" : "replace", "path" : "/clientCertificateId", "value" : "ndiqef" } ] }

    or by calling the CLI command of update-stage.

  4. Update the backend server to remove the old certificate.

  5. Delete the old certificate from API Gateway by calling the clientcertificate:delete of the API Gateway REST API, specifying the clientCertificateId (a1b2c3) of the old certificate:

    DELETE /clientcertificates/a1b2c3

    or by calling the CLI command of delete-client-certificate:

    aws apigateway delete-client-certificate --client-certificate-id a1b2c3

To rotate a client certificate in the console for a previously deployed API, do the following:

  1. In the main navigation pane, choose Client certificates.

  2. From the Client certificates pane, choose Generate certificate.

  3. Open the API for which you want to use the client certificate.

  4. Choose Stages under the selected API and then choose a stage.

  5. In the Stage details section, choose Edit.

  6. For Client certificate, select the new certificate.

  7. To save the settings, choose Save changes.

    You need to redeploy the API for the changes to take effect. For more information, see Redeploy a REST API to a stage.