Menu
Amazon API Gateway
Developer Guide

Use Client-Side SSL Certificates for Authentication by the Back End

You can use API Gateway to generate an SSL certificate and use its public key in the back end to verify that HTTP requests to your back-end system are from API Gateway. This allows your HTTP back end to control and accept only requests originating from Amazon API Gateway, even if the back end is publicly accessible.

Note

Some back-end servers may not support SSL client authentication as API Gateway does and could return an SSL certificate error. For a list of incompatible back ends, see Known Issues.

The API Gateway-generated SSL certificates are self-signed and only the public key of a certificate is visible in the API Gateway console or through the APIs.

Generate a Client Certificate Using the API Gateway Console

  1. In the main navigation pane, choose Client Certificates.

  2. From the Client Certificates pane, choose Generate Client Certificate.

  3. Optionally, for Edit, choose to add a descriptive title for the generated certificate and choose Save to save the description. API Gateway generates a new certificate and returns the new certificate GUID, along with the PEM-encoded public key.

    
                          Create client-side SSL Certificate in API Gateway

You are now ready to configure an API to use the certificate.

Configure an API to Use SSL Certificates

These instructions assume you have already completed Generate a Client Certificate Using the API Gateway Console.

  1. In the API Gateway console, create or open an API for which you want to use the client certificate. Make sure the API has been deployed to a stage.

  2. Choose Stages under the selected API and then choose a stage.

  3. In the Stage Editor panel, select a certificate under the Client Certificate section.

  4. To save the settings, choose Save Changes.

    
                        Configure client-side SSL Certificate for an API in API Gateway

After a certificate is selected for the API and saved, API Gateway will use the certificate for all calls to HTTP integrations in your API.

Test Invoke

  1. Choose an API method. In Client, choose Test.

  2. From Client Certificate, choose Test to invoke the method request.

    
                          Test API authentication using client-side SSL Certificate in API Gateway

API Gateway will present the chosen SSL certificate for the HTTP back end to authenticate the API.

Configure Back End to Authenticate API

These instructions assume you have already completed Generate a Client Certificate Using the API Gateway Console and Configure an API to Use SSL Certificates.

When receiving HTTPS requests from API Gateway, your back end can authenticate your API using the PEM-encoded certificate generated by API Gateway, provided that the back end is properly configured. Most Web servers can be easily configured to do so.

For example, in Node.js you can use the HTTPS module to create an HTTPS back end and use the client-certificate-auth modules to authenticate client requests with PEM-encoded certificates. For more information, see HTTPS on the Nodejs.org website and see client-certificate-auth on the https://www.npmjs.com/ website.