This page provides instructions to set up backend authenticated TLS, also known as backend authentication, by using self-managed certificates for global external Application Load Balancers.
To configure backend authenticated TLS, you need to do the following:
- Create a trust config resource the consists of root and intermediate certificates.
- Create a Backend Authentication Config resource that references the trust config.
- Attach the Backend Authentication Config resource to the backend service of the load balancer.
Before you begin
- Review the Backend authenticated TLS and backend mTLS overview.
- Review Manage trust configs.
If you want to follow the instructions in this guide using the Google Cloud CLI, you need to install it. You can find commands related to load balancing in the API and gcloud CLI references.
If you haven't run the gcloud CLI previously, first run the
gcloud init
command to authenticate.Enable the following APIs: Compute Engine API, Certificate Manager API, Network Security, and Network Services API. To learn more, see Enabling APIs.
Configure a global external Application Load Balancer with any of the following supported backends:
- VM instance group backends
- Hybrid connectivity NEGs
- Zonal NEGs
Permissions
This section lists the permissions required to configure backend authenticated TLS.Operation | Permission |
---|---|
Create a trust config | certificatemanager.trustconfigs.create on the target
Google Cloud project |
Create a Backend Authentication Config resource |
certificatemanager.certs.use on the target certificatecertificatemanager.trustconfigs.use on the target trust
confignetworksecurity.backendauthenticationconfigs.create on
the target Google Cloud project |
Attach the Backend Authentication Config resource to the backend service of the load balancer |
compute.backendservice.update on the target backend
servicenetworksecurity.backendauthenticationconfigs.use on the
target Backend Authentication Config resource |
Setup overview
The sections that follow describe the steps to configure backend authenticated TLS based off the architecture shown in the following diagram:
Create the root and intermediate certificates
This section uses the OpenSSL library to create the root certificate (trust anchor) and the intermediate certificate.
A root certificate is at the top of the certificate chain. An intermediate certificate is a part of the chain of trust back to the root certificate. The intermediate certificate is cryptographically signed by the root certificate. When the load balancer receives a server certificate, the load balancer validates it by establishing a chain of trust from the server certificate back to the configured trust anchor.
Use the following commands to create the root and intermediate certificates.
Create an OpenSSL configuration file.
In the following example, the configuration file (
example.cnf
) contains the[ca_exts]
section, which specifies X.509 extensions that mark the certificate as suitable for a CA. To learn more about the requirements for root and intermediate certificates, see Certificate requirements.cat > example.cnf << EOF [req] distinguished_name = empty_distinguished_name [empty_distinguished_name] # Kept empty to allow setting via -subj command-line argument. [ca_exts] basicConstraints=critical,CA:TRUE keyUsage=keyCertSign extendedKeyUsage=serverAuth EOF
Create a self-signed X.509 root certificate (
root.cert
). The root certificate is self-signed with its own private key (root.key
).openssl req -x509 \ -new -sha256 -newkey rsa:2048 -nodes \ -days 3650 -subj '/CN=root' \ -config example.cnf \ -extensions ca_exts \ -keyout root.key -out root.cert
Create the certificate signing request (CSR)
int.req
for the intermediate certificate.openssl req -new \ -sha256 -newkey rsa:2048 -nodes \ -subj '/CN=int' \ -config example.cnf \ -extensions ca_exts \ -keyout int.key -out int.req
Sign the CSR to create the X.509 intermediate certificate (
int.cert
). The CSR is signed using the root certificate.openssl x509 -req \ -CAkey root.key -CA root.cert \ -set_serial 1 \ -days 3650 \ -extfile example.cnf \ -extensions ca_exts \ -in int.req -out int.cert
Format the certificates
To include new or existing certificates in a trust store, format the certificates into a single line and store them in environment variables so that they can be referenced by the trust config YAML file.
export ROOT_CERT=$(cat root.cert | sed 's/^[ ]*//g' | tr '\n' $ | sed 's/\$/\\n/g')
export INTERMEDIATE_CERT=$(cat int.cert | sed 's/^[ ]*//g' | tr '\n' $ | sed 's/\$/\\n/g')
Create a trust config resource
A trust config is a resource that represents your public key infrastructure (PKI) configuration in Certificate Manager.
To create a trust config resource, complete the following steps:
Console
In the Google Cloud console, go to the Certificate Manager page.
On the Trust Configs tab, click Add Trust Config.
Enter a name for the configuration.
For Location, select Global. The location denotes where the trust config resource is stored. For global external Application Load Balancers, you need to create a global trust config resource.
In the Trust store section, click Add trust anchor and upload the PEM-encoded certificate file, or copy the contents of the certificate.
Click Add.
In the Trust store section, click Add intermediate CA and upload the PEM-encoded certificate file, or copy the contents of the certificate. This step lets you add another level of trust between the root certificate and your server certificate.
Click Add to add the intermediary CA.
To add the certificate that you added to the allowlist, click Add.
Click Create.
Verify that the new trust config resource appears in the list of configurations.
gcloud
Create a trust config YAML file (
trust_config.yaml
) that specifies the trust config parameters. This example trust config resource contains a trust store with a trust anchor and an intermediate certificate. This example trust config resource reads the certificate content from the environment variables created in the previous Format the certificates step.cat << EOF > trust_config.yaml trustStores: - trustAnchors: - pemCertificate: "${ROOT_CERT}" intermediateCas: - pemCertificate: "${INTERMEDIATE_CERT}" EOF
To create a trust store with additional trust anchors or intermediate certificates, add
pemCertificate
rows in the appropriate section.To import the trust config YAML file, use the
gcloud certificate-manager trust-configs import
command:For global external Application Load Balancers, specify
global
as the location where the trust config resource is stored.gcloud certificate-manager trust-configs import TRUST_CONFIG_NAME \ --source=trust_config.yaml \ --location=global
Replace the following:
TRUST_CONFIG_NAME
: the name of the trust config resource
Create a Backend Authentication Config resource
To create a Backend Authentication Config resource, complete the following steps.
Console
- In the Google Cloud console, go to the Authentication Configuration page.
- On the Backend Authentication tab, click Create.
- Enter a name for the Backend Authentication Config resource.
- Optional: Select the public roots of trust.
- Select the trust config resource that you created earlier.
- Click Create.
Verify that the Backend Authentication Config resource is displayed.
gcloud
Create a YAML file that declaratively specifies the different attributes of the Backend Authentication Config resource.
cat << EOF > BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yaml name: projects/PROJECT_ID/locations/global/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAME trustConfig: projects/PROJECT_ID/locations/global/trustConfigs/TRUST_CONFIG_NAME wellKnownRoots: PUBLIC_ROOTS EOF
Replace the following:
BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME
: the name of the YAML file where the Backend Authentication Config resource is defined.PROJECT_ID
: the ID of your Google Cloud projectBACKEND_AUTH_CONFIG_NAME
: the name of the Backend Authentication Config resourceTRUST_CONFIG_NAME
: the name of the trust config resource that you created earlier.
To import the Backend Authentication Config resource, use the
gcloud beta network-security backend-authentication-configs import
command:gcloud beta network-security backend-authentication-configs import BACKEND_AUTH_CONFIG_NAME \ --source=BACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME.yaml \ --location=global
Replace the following:
BACKEND_AUTH_CONFIG_NAME
: the name of the Backend Authentication Config resourceBACKEND_AUTHENTICATION_CONFIG_RESOURCE_FILENAME
: the name of the YAML file where the Backend Authentication Config resource is defined.
Attach the Backend Authentication Config resource to the backend service of the load balancer
To attach the Backend Authentication Config resource to the backend service of the load balancer, complete the following steps.
Console
In the Google Cloud console, go to the Load balancing page.
On the Backends tab, select the backend service for which you need to enable backend authenticated TLS and backend mTLS.
Click
Edit.Expand the Advanced configurations section.
In the Backend authentication section, select the Enable checkbox.
Optional: Specify the SNI hostname and accepted SANs to validate the backend certificate.
To attach the Backend Authentication Config resource to the backend service, in the Backend Authentication Config list, select the Backend Authentication Config resource.
Click Continue.
To update the backend service settings, click Update.
gcloud
To list all the backend service resources in your project, use the
gcloud compute backend-services list
command.gcloud compute backend-services list
Note the name of the backend service to attach the
BackendAuthenticationConfig
resource to. This name is referred to asBACKEND_SERVICE_NAME
in the following steps.To export the backend service configuration to a file, use the
gcloud beta compute backend-services export
command.gcloud beta compute backend-services export BACKEND_SERVICE_NAME \ --destination=BACKEND_SERVICE_FILENAME.yaml \ --global
Replace the following:
BACKEND_SERVICE_NAME
: the name of the backend serviceBACKEND_SERVICE_FILENAME
: the name and path to a YAML file where the backend service configuration is exported
Update the
tlsSettings
attribute of the backend service, pointing it to the Backend Authentication Config resource. In addition, you can configure the SNI hostname and accepted SANs on the backend service to validate the backend certificate.cat << EOF >> BACKEND_SERVICE_FILENAME.yaml tlsSettings: authenticationConfig: //networksecurity.googleapis.com/projects/PROJECT_ID/locations/global/backendAuthenticationConfigs/BACKEND_AUTH_CONFIG_NAME sni: examplepetstore.com subjectAltNames: - dnsName: examplepetstore.com - dnsName: api.examplepetstore.com EOF
The SNI and SAN values in the preceding YAML declaration are intended as examples only. You can substitute them with real-world values that are relevant to your setup.
Replace the following:
BACKEND_SERVICE_FILENAME
: the name of the YAML file where the backend service configuration is exportedPROJECT_ID
: the ID of your Google Cloud projectBACKEND_AUTH_CONFIG_NAME
: the name of the Backend Authentication Config resource
To import the updated backend service configuration from a file, use the
gcloud beta compute backend-services import
command.gcloud beta compute backend-services import BACKEND_SERVICE_NAME \ --source=BACKEND_SERVICE_FILENAME.yaml \ --global
Replace the following:
BACKEND_SERVICE_NAME
: the name of the backend serviceBACKEND_SERVICE_FILENAME
: the name of the backend service configuration YAML file
Create a backend server certificate
This section provides an additional configuration option to create a server (leaf) certificate that is signed by the intermediate certificate, which is a part of the trust config. This ensures that a chain of trust can be established from the server certificate back to the trust anchor.
If you have already created a trust config resource that contains an intermediate certificate, do the following:
Create a configuration file to generate the CSR for the server certificate.
The following configuration file (
server.config
) contains the[extension_requirements]
section, which specifies the X.509 extensions to include in the CSR. To learn more about the requirements for server certificates, see Certificate requirements.cat > server.config << EOF [req] default_bits = 2048 req_extensions = extension_requirements distinguished_name = dn_requirements prompt = no [extension_requirements] basicConstraints = critical, CA:FALSE keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = examplepetstore.com DNS.2 = api.examplepetstore.com [dn_requirements] countryName = US stateOrProvinceName = California localityName = San Francisco 0.organizationName = example organizationalUnitName = test commonName = examplepetstore.com emailAddress = test@examplepetstore.com EOF
Create the CSR (
server.csr
) for the server certificate.openssl req -new \ -sha256 -newkey rsa:2048 -nodes \ -config server.config \ -keyout server.key -out server.csr
Sign the CSR to issue the X.509 server certificate (
server.cert
). The CSR is signed by the intermediate certificate.openssl x509 -req \ -CAkey int.key -CA int.cert \ -days 365 \ -extfile server.config \ -extensions extension_requirements \ -in server.csr -out server.cert
When the load balancer connects to the backend server, the backend server presents its certificate (
server.cert
) to authenticate itself to the load balancer, completing the backend authentication process.
Additional SSL configuration options on an Apache web server
This optional section walks you through the process to update the SSL configuration options on an Apache server based on the server certificates that you created earlier.-
Copy the server private key (
server.key
) and server certificate (server.cert
) over to the Apache web server.cat > server.key << EOF -----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY----- EOF sudo cp ./server.key /etc/ssl/private/server.key
Replace
[...]
with the PEM-encoded server private key that you created earlier.cat > server.cert << EOF -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- EOF sudo cp ./server.cert /etc/ssl/certs/server.cert
Replace
[...]
with the PEM-encoded server certificate that you created earlier. -
Update the SSL configuration of the Apache web server.
Update Apache's SSL configuration to enable HTTPS traffic using the specified SSL certificate and private key.
sudo vi /etc/apache2/sites-available/default-ssl.conf ---- SSLCertificateFile /etc/ssl/certs/server.cert SSLCertificateKeyFile /etc/ssl/private/server.key ----
-
Rehash the CA certificates.
sudo c_rehash /etc/ssl/certs/
-
Restart the Apache web server to apply the changes.
sudo systemctl restart apache2.service