Set up backend authenticated TLS

This page provides instructions to set up backend authenticated TLS, also known as backend authentication, by using self-managed certificates for global external Application Load Balancers.

To configure backend authenticated TLS , you need to do the following:

• Create a trust config resource the consists of root and intermediate certificates.
• Create a Backend Authentication Config resource that references the trust config.
• Attach the Backend Authentication Config resource to the backend service of the load balancer.

Before you begin

• Review the Backend authenticated TLS and backend mTLS overview .
• Review Manage trust configs .

• If you want to follow the instructions in this guide using the Google Cloud CLI, you need to install it. You can find commands related to load balancing in the API and gcloud CLI references .

  If you haven't run the gcloud CLI previously, first run the gcloud init command to authenticate.

• Enable the following APIs: Compute Engine API, Certificate Manager API, Network Security, and Network Services API. To learn more, see Enabling APIs .

• Configure a global external Application Load Balancer with any of the following supported backends:

  • VM instance group backends
  • Hybrid connectivity NEGs
  • Zonal NEGs

Permissions

Setup overview

The sections that follow describe the steps to configure backend authenticated TLS based off the architecture shown in the following diagram:

Create the root and intermediate certificates

This section uses the OpenSSL library to create the root certificate (trust anchor) and the intermediate certificate.

A root certificate is at the top of the certificate chain. An intermediate certificate is a part of the chain of trust back to the root certificate. The intermediate certificate is cryptographically signed by the root certificate. When the load balancer receives a server certificate, the load balancer validates it by establishing a chain of trust from the server certificate back to the configured trust anchor.

Use the following commands to create the root and intermediate certificates.

1. Create an OpenSSL configuration file .

   In the following example, the configuration file ( example.cnf ) contains the [ca_exts] section, which specifies X.509 extensions that mark the certificate as suitable for a CA. To learn more about the requirements for root and intermediate certificates, see Certificate requirements .

    cat > 
   example.cnf << 
   EOF [ 
   req ] 
    distinguished_name 
     
    = 
     
   empty_distinguished_name [ 
   empty_distinguished_name ] 
    # Kept empty to allow setting via -subj command-line argument. 
    [ 
   ca_exts ] 
    basicConstraints 
    = 
   critical,CA:TRUE keyUsage 
    = 
   keyCertSign extendedKeyUsage 
    = 
   serverAuth
   
   EOF 
   

2. Create a self-signed X.509 root certificate ( root.cert ). The root certificate is self-signed with its own private key ( root.key ).

    openssl  
   req  
   -x509  
    \ 
     
   -new  
   -sha256  
   -newkey  
   rsa:2048  
   -nodes  
    \ 
     
   -days  
    3650 
     
   -subj  
    '/CN=root' 
     
    \ 
     
   -config  
   example.cnf  
    \ 
     
   -extensions  
   ca_exts  
    \ 
     
   -keyout  
   root.key  
   -out  
   root.cert 
   

3. Create the certificate signing request (CSR) int.req for the intermediate certificate.

    openssl  
   req  
   -new  
    \ 
     
   -sha256  
   -newkey  
   rsa:2048  
   -nodes  
    \ 
     
   -subj  
    '/CN=int' 
     
    \ 
     
   -config  
   example.cnf  
    \ 
     
   -extensions  
   ca_exts  
    \ 
     
   -keyout  
   int.key  
   -out  
   int.req 
   

4. Sign the CSR to create the X.509 intermediate certificate ( int.cert ). The CSR is signed using the root certificate.

    openssl  
   x509  
   -req  
    \ 
     
   -CAkey  
   root.key  
   -CA  
   root.cert  
    \ 
     
   -set_serial  
    1 
     
    \ 
     
   -days  
    3650 
     
    \ 
     
   -extfile  
   example.cnf  
    \ 
     
   -extensions  
   ca_exts  
    \ 
     
   -in  
   int.req  
   -out  
   int.cert 
   

Format the certificates

To include new or existing certificates in a trust store, format the certificates into a single line and store them in environment variables so that they can be referenced by the trust config YAML file.

  export 
  
 ROOT_CERT 
 = 
 $( 
cat  
root.cert  
 | 
  
sed  
 's/^[ ]*//g' 
  
 | 
  
tr  
 '\n' 
  
$  
 | 
  
sed  
 's/\$/\\n/g' 
 ) 
 

  export 
  
 INTERMEDIATE_CERT 
 = 
 $( 
cat  
int.cert  
 | 
  
sed  
 's/^[ ]*//g' 
  
 | 
  
tr  
 '\n' 
  
$  
 | 
  
sed  
 's/\$/\\n/g' 
 ) 
 

Create a trust config resource

A trust config is a resource that represents your public key infrastructure (PKI) configuration in Certificate Manager.

To create a trust config resource, complete the following steps:

Create a Backend Authentication Config resource

To create a Backend Authentication Config ( BackendAuthenticationConfig ) resource, complete the following steps.

Attach the Backend Authentication Config resource to the backend service of the load balancer

To attach the Backend Authentication Config ( BackendAuthenticationConfig ) resource to the backend service of the load balancer, complete the following steps.

Create a backend server certificate

This section provides an additional configuration option to create a server (leaf) certificate that is signed by the intermediate certificate, which is a part of the trust config. This ensures that a chain of trust can be established from the server certificate back to the trust anchor.

If you have already created a trust config resource that contains an intermediate certificate, do the following:

1. Create a configuration file to generate the CSR for the server certificate.

   The following configuration file ( server.config ) contains the [extension_requirements] section, which specifies the X.509 extensions to include in the CSR. To learn more about the requirements for server certificates, see Certificate requirements .

    cat > 
   server.config << 
   EOF [ 
   req ] 
    default_bits 
     
    = 
     
    2048 
    req_extensions 
     
    = 
     
   extension_requirements distinguished_name 
     
    = 
     
   dn_requirements prompt 
     
    = 
     
   no [ 
   extension_requirements ] 
    basicConstraints 
     
    = 
     
   critical,  
   CA:FALSE keyUsage 
     
    = 
     
   critical,  
   nonRepudiation,  
   digitalSignature,  
   keyEncipherment extendedKeyUsage 
     
    = 
     
   serverAuth subjectAltName 
     
    = 
     
   @alt_names [ 
   alt_names ] 
   DNS.1  
    = 
     
   examplepetstore.com
   DNS.2  
    = 
     
   api.examplepetstore.com [ 
   dn_requirements ] 
    countryName 
     
    = 
     
   US stateOrProvinceName 
     
    = 
     
   California localityName 
     
    = 
     
   San  
   Francisco 0 
   .organizationName  
    = 
     
   example organizationalUnitName 
     
    = 
     
    test 
    commonName 
     
    = 
     
   examplepetstore.com emailAddress 
     
    = 
     
   test@examplepetstore.com
   
   EOF 
   

2. Create the CSR ( server.csr ) for the server certificate.

    openssl  
   req  
   -new  
    \ 
     
   -sha256  
   -newkey  
   rsa:2048  
   -nodes  
    \ 
     
   -config  
   server.config  
    \ 
     
   -keyout  
   server.key  
   -out  
   server.csr 
   

3. Sign the CSR to issue the X.509 server certificate ( server.cert ). The CSR is signed by the intermediate certificate.

    openssl  
   x509  
   -req  
    \ 
     
   -CAkey  
   int.key  
   -CA  
   int.cert  
    \ 
     
   -days  
    365 
     
    \ 
     
   -extfile  
   server.config  
    \ 
     
   -extensions  
   extension_requirements  
    \ 
     
   -in  
   server.csr  
   -out  
   server.cert 
   

   When the load balancer connects to the backend server, the backend server presents its certificate ( server.cert ) to authenticate itself to the load balancer, completing the backend authentication process.

Additional SSL configuration options on an Apache web server

1. Copy the server private key ( server.key ) and server certificate ( server.cert ) over to the Apache web server.

   cat > server.key << EOF
       -----BEGIN PRIVATE KEY-----
       [...]
       -----END PRIVATE KEY-----
       EOF
   
       sudo cp ./server.key /etc/ssl/private/server.key

   Replace [...] with the PEM-encoded server private key that you created earlier.

   cat > server.cert << EOF
       -----BEGIN CERTIFICATE-----
       [...]
       -----END CERTIFICATE-----
       EOF
   
       sudo cp ./server.cert /etc/ssl/certs/server.cert

   Replace [...] with the PEM-encoded server certificate that you created earlier.

2. Update the SSL configuration of the Apache web server.

   Update Apache's SSL configuration to enable HTTPS traffic using the specified SSL certificate and private key.

   sudo vi /etc/apache2/sites-available/default-ssl.conf
   
       ----
       SSLCertificateFile      /etc/ssl/certs/server.cert
       SSLCertificateKeyFile /etc/ssl/private/server.key
       ----

3. Rehash the CA certificates.

   sudo c_rehash /etc/ssl/certs/

4. Restart the Apache web server to apply the changes.

   sudo systemctl restart apache2.service

What's next

• Set up backend mTLS
• mTLS overview
• Set up mTLS with a private CA