Skip to content

TrustStore

Source: src/AWS/ELBv2/TrustStore.ts

An ELBv2 trust store. A trust store holds the CA certificate bundle used by an HTTPS listener configured for mutual TLS (mTLS) verify mode to validate client certificates.

Creating a Trust Store

Section titled “Creating a Trust Store”

Basic trust store from an S3 CA bundle

const trustStore = yield* TrustStore("mtls", {
  caCertificatesBundleS3Bucket: "my-ca-bundles",
  caCertificatesBundleS3Key: "ca-bundle.pem",
});

Using a trust store on an mTLS listener

const listener = yield* Listener("https", {
  loadBalancerArn: lb.loadBalancerArn,
  port: 443,
  protocol: "HTTPS",
  certificates: [certArn],
  mutualAuthentication: {
    mode: "verify",
    trustStoreArn: trustStore.trustStoreArn,
  },
  defaultActions: [
    { type: "forward", targetGroups: [{ targetGroupArn: tg.targetGroupArn }] },
  ],
});