Remediation
Note: Some backend servers may not support SSL client authentication as API Gateway does, potentially resulting in an SSL certificate error.
From Command Lineβ
Generate a client certificateβ
aws apigateway generate-client-certificate --description "Client certificate for secure API communication"
This command returns Client Certificate Id and PEM-encoded public key of the newly generated client certificate. Save the PEM to use for configuration of a backend HTTPS server.
The client certificate generated by API Gateway is valid for 365 days. To prevent API downtime, ensure the certificate is rotated before it expires on an API Gateway Stage.
Configure an API to Use SSL Certificatesβ
To associate the generated client certificate with a specific API stage, update the stage settings:
aws apigateway update-stage \
--rest-api-id {{rest-api-id}} \
--stage-name {{stage-name}} \
--patch-operations op=replace,path=/clientCertificateId,value={{client-certificate-id}}
Replace {{rest-api-id}}, {{stage-name}}, and {{client-certificate-id}} with the appropriate values.
Configure a Backend HTTPS Server to Verify the Client Certificateβ
You can retrieve the PEM-encoded public key of the client certificate using the following command:
aws apigateway get-client-certificate --client-certificate-id {{client-certificate-id}}
Before configuring a backend HTTPS server to verify the client SSL certificate of an API Gateway, ensure you have obtained the PEM-encoded private key and a server-side certificate issued by a trusted certificate authority.