Search code examples

AWS API Gateway mTLS - Access denied. Reason: self signed certificate

I've been following this guide by AWS: pretty much to the letter.

This is how I generate the certs:

openssl genrsa -out RootCA.key 4096
openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem

openssl genrsa -out my_client.key 2048
openssl req -new -key my_client.key -out my_client.csr

openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256

So now I have exactly 5 files:


I then upload the RootCA.pem as truststore.pem to S3, and copied the URI into API Gateway.

Then, I make the request: curl --key ./my_client.key --cert ./my_client.pem https://my-endpoint

API Gateway simply returns {"message":"Forbidden"} with HTTP 403. In Cloudwatch log, this is what I get: Access denied. Reason: self signed certificate.

The endpoint works perfectly fine if I disable mTLS, so it's not an issue with the endpoint or route itself.

I've looked at this page: , there's a possibility that the generated cert is invalid? But I'm not sure how to generate the correct one, as all the other guides pretty much generates the cert the same way.


  • I actually resolved this a while ago after talking with AWS Support.

    The reason for the error was the Common Name (eg, fully qualified host name)(when generating the keys) cannot be the same. I mistakenly used the same name because I assumed they needed to match.

    For example, when generating your Root CA, if you've entered MyRootCA when prompted for Common Name (eg, fully qualified host name), then when generating your client certificate, the Common Name must not be MyRootCA