How can I replace the certificates for my AWS Client VPN to resolve a TLS handshake error?

3 minute read

My AWS Client VPN is showing a TLS handshake error. I want to check if my endpoints certificates are expired, and then replace them.

Short description

Client VPN uses certificates to authenticate clients when they try to connect to the Client VPN endpoint. If the certificates expire, then the secure TLS session can't be agreed with the endpoint, and the client can't establish a connection. Your Client VPN then shows a TLS handshake error. To resolve this error, replace the expired certificates without recreating the endpoint.


Confirm that your endpoint certificates are expired

First, confirm that your certificates are expired. Open the AWS Certificate Manager (ACM) console to view your current certificates. Note any certificate IDs that the Client VPN endpoint uses that are expired.

Renew the expired certificates

To renew a certificate, follow these steps:

  1. Clone the OpenVPN easy-rsa repo to your local computer, and then navigate to the easy-rsa/easyrsa3 folder.

    $ git clone cd easy-rsa/easyrsa3
  2. Start a new PKI environment.

    ./easyrsa init-pki
  3. Build a new certificate authority, and then follow all prompts:

    ./easyrsa build-ca nopass
  4. Generate the server certificate and key:

    ./easyrsa build-server-full server nopass
  5. Generate the client certificate and key. Note the client certificate and the client private key.

    ./easyrsa build-client-full client1.domain.tld nopass
  6. Copy the server certificate and key and the client certificate and key to a custom folder.

    mkdir ~/custom_folder/cp pki/ca.crt ~/custom_folder/cp pki/issued/server.crt ~/custom_folder/cp pki/private/server.key ~/custom_folder/cp pki/issued/client1.domain.tld.crt ~/custom_foldercp pki/private/client1.domain.tld.key ~/custom_folder/cd ~/custom_folder/
  7. After you create the new certificates, import them to AWS Certificate Manager. Make sure that the Region that you use to access the console when you complete this step is correct for your Client VPN endpoint.

Note: Be aware that by completing these steps, you create a new Certificate Authority (CA). File types ending in .crt files contain the certificate body, .key files contain the certificates private key, and ca.crt files contain the certificate chain.

Change the certificates that Client VPN uses

After importing the new certificates to AWS Certificate Manager, you can now change the certificates that the Client VPN endpoint uses:

  1. From the Amazon Virtual Private Cloud (Amazon VPC) console, choose Client VPN endpoint.
  2. Choose Actions, and then choose Modify Client VPN endpoint.
  3. Under Authentication information, choose the server certificate that you created.
  4. Choose Modify Client VPN endpoint to save the changes.
  5. Download the Client VPN configuration files to reflect the changes made.
  6. After you've successfully connected to your endpoint, delete the expired certificates.
  7. You can also use the DaysToExpiry certificate metric in Amazon CloudWatch to track your certificate expiry and avoid TLS handshake errors.

Related information

Mutual authentication

AWS OFFICIALUpdated a year ago