01 Run generate-client-certificate command (OSX/Linux/UNIX) to generate a new a client-side SSL certificate for Amazon API Gateway service:
aws apigateway generate-client-certificate
--region us-east-1
--description "SSL Certificate for HTTP requests authentication."
02 The command output should return the SSL certificate metadata:
{
"clientCertificateId": "abcabc",
"expirationDate": 1579948577,
"createdDate": 1548412577,
"pemEncodedCertificate": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
"description": "SSL Certificate for HTTP requests authentication."
}
03 Run update-stage command (OSX/Linux/UNIX) using the name of the API stage that you want to reconfigure as identifier (see Audit section part II to identify the right API stage) to attach the client certificate created at the previous steps to the selected API stage. If the selected Amazon API Gateway API has been previously deployed, you will need to redeploy it for the changes to take effect. Once the SSL certificate is attached, the AWS API Gateway service uses the certificate for all calls to HTTP integrations within your API. The following command example associates an SSL certificates with the ID "abcabc" with an API stage named "Staging", available for an API identified by the ID "abcdabcdab":
aws apigateway update-stage
--region us-east-1
--rest-api-id abcdabcdab
--stage-name 'Staging'
--patch-operations op=replace,path=/clientCertificateId,value=abcabc
04 The command output should return the command request metadata:
{
"clientCertificateId": "abcabc",
"tracingEnabled": true,
"stageName": "Staging",
"cacheClusterEnabled": false,
"cacheClusterStatus": "NOT_AVAILABLE",
"deploymentId": "aaabbb",
"lastUpdatedDate": 1548412905,
"createdDate": 1548406023,
"methodSettings": {}
}
05 Run get-client-certificate command (OSX/Linux/UNIX) to extract the PEM-encoded public key of the SSL certificate created earlier in the process. The public key can be used to configure certificate authentication at the integration endpoint level (e.g. servers level):
aws apigateway get-client-certificate
--region us-east-1
--client-certificate-id abcabc
--query "pemEncodedCertificate"
06 The command output should return the PEM-encoded public key requested, e.g.:
"-----BEGIN CERTIFICATE-----\r\nMIC63 ... Xqk3S==\r\n-----END CERTIFICATE-----"
07 Now you can configure your backend servers and services to verify the associated client SSL certificate.
08 Repeat step no. 3 and 4 to attach your new SSL certificate to other API stages created for the selected API.
09 Repeat steps no. 1 – 8 to reconfigure other Amazon API Gateway APIs available within the selected region.
10 Change the AWS region by updating the --region command parameter value and repeat the entire remediation/resolution process for other regions.