When configuring HTTPS/SSL on AWS Elastic Load Balancer (ELB), backend authentication serves a critical security function. It establishes a secure channel between your load balancer and backend instances by verifying the identity of your backend servers.
For backend authentication, you'll need to use your site's public certificate (not the private key). This is because:
- The ELB needs to verify your backend servers' identities
- The certificate should be issued by a trusted Certificate Authority (CA)
- It must contain the appropriate domain name(s) for your backend servers
Here's how to properly configure this in AWS:
aws elb create-load-balancer-policy \
--load-balancer-name my-load-balancer \
--policy-name my-ssl-policy \
--policy-type-name BackendServerAuthenticationPolicyType \
--policy-attributes AttributeName=PublicKeyPolicyName,AttributeValue=my-public-key-policy
For a typical web application setup, you might use:
- Single Domain: Public certificate for api.yourdomain.com
- Wildcard: *.yourdomain.com certificate
- Multi-Domain: SAN certificate covering all backend domains
If you encounter errors, check these elements:
- Certificate chain completeness (include intermediate CAs)
- Certificate expiration dates
- Subject Alternative Name (SAN) coverage
- Proper key usage extensions (serverAuth)
Consider these recommendations for production environments:
# Example of checking certificate details
openssl x509 -in backend_cert.pem -text -noout
# Recommended cipher suite for ELB
aws elb create-load-balancer-policy \
--load-balancer-name my-lb \
--policy-name my-ssl-security-policy \
--policy-type-name SSLNegotiationPolicyType \
--policy-attributes AttributeName=Reference-Security-Policy,AttributeValue=ELBSecurityPolicy-TLS-1-2-2017-01
Remember to rotate certificates regularly and monitor their expiration using AWS Config or third-party tools.
When configuring HTTPS/SSL on AWS Elastic Load Balancer (ELB), backend authentication refers to the mutual SSL/TLS authentication between your load balancer and backend instances. This ensures encrypted traffic continues all the way to your servers, not just between clients and the load balancer.
For backend authentication, you need to provide:
- The public key certificate of your backend servers (not your website's SSL cert)
- This certificate must be issued by a Certificate Authority (CA) that your ELB trusts
- You'll typically need to create and use a self-signed certificate for this purpose
Here's how to generate and configure the required certificate:
# Generate a private key for your backend
openssl genrsa -out backend.key 2048
# Create a CSR (Certificate Signing Request)
openssl req -new -key backend.key -out backend.csr
# Generate a self-signed certificate valid for 365 days
openssl x509 -req -days 365 -in backend.csr -signkey backend.key -out backend.crt
After generating the certificate, upload it to AWS IAM:
aws iam upload-server-certificate \
--server-certificate-name my-backend-cert \
--certificate-body file://backend.crt \
--private-key file://backend.key
When creating your ELB in the AWS Console:
- Navigate to EC2 > Load Balancers
- During HTTPS listener setup, enable backend authentication
- Select the uploaded backend certificate from IAM
- Ensure your backend instances trust the certificate
After setup, verify the connection:
openssl s_client -connect your-elb-dns:443 -showcerts
Look for the certificate chain that includes both your frontend and backend certificates.
- Mismatched certificate trust chains between ELB and backend instances
- Expired or soon-to-expire backend certificates
- Incorrect permission settings on the certificate files
- Not updating security groups to allow encrypted traffic