Client-Side SSL Certificate Authentication for Serverless Application

aws

#1

Hi,

I’m now developing IoT platform on AWS in serverless architecture.
For now, I use S3 to host Single Page Application html and javascript, cognito to authenticate users.

For the security reasons, I want to add client-side ssl certificate authentication for all the https connections.
I’m thinking of creating a server that can do client-side ssl certificate authorization, and
host single Page Application files there, then build custom cognito proxy program so that
every http(s) connections goes throught that server with client-side auth.

The biggest problem of this idea is that this architecture requires a server…

What do you think is the best way to do this?


#2

You’ll want to create a CloudFront Distribution in front of your bucket, and do your SSL there.

This also means you can use AWS ACM for your certificates and get them for free!


#3

I am not sure that is accurate:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomClientSideSslAuth

Client-Side SSL Authentication

CloudFront does not support client authentication with client-side SSL certificates. If an origin requests a client-side certificate, CloudFront drops the request.


#4

Whoops, looks like I confused client-side certificates with server-side certificates :upside_down_face:


#5

I achieved this by using the client side certificate to attach to AWS IOT. Then I made an IOT function that returned a JWT token to the client. That token has the serial number from the client certificate embedded in it. You then exchange the token for temporary credentials. I am working in C but this should all be possible from Javascript in a browser. Check out developer authenticated identities.