How do I get notified when my CRL associated with Client VPN endpoint is about to expire?

3 minute read

I want to receive a notification that the CRL (Certificate Revocation List), that’s associated with the AWS Client VPN endpoint, is about to expire.

Short description

A CRL is a list of certificates that's revoked by the certificate authority (CA). Certificates can be revoked if they were shared by mistake. They can also be revoked when someone leaves the company.

The CRL's valid for only a period of time. During the authentication phase, the Client VPN endpoint checks the client certificate against the CRL that you imported. If the CRL is expired, you can't connect to the Client VPN endpoint.

Your system logs the following error:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed


Generally, the Client VPN service doesn't notify you that your CRL is about to expire. However, you can get this information from an Amazon CloudWatch metric called CRLDaysToExpiry that's available under the Client VPN namespace. This metric gives you the number of days left before the CRL for your Client VPN endpoint expires.

Use the Amazon CloudWatch CRLDaysToExpiry metric

The CRLDaysToExpiry metric reduces over a period of time, until it reaches zero, when the CRL validity is set to expire. On expiration, the CRL no longer authenticates on the Client VPN endpoint.

Set a custom alarm for the metric

You can set an alarm on this metric. For example, you might want to set the CRL validity to expire in ten days. The alarm notifies the administrator when it's time to update the CRL and upload it to the Client VPN endpoint. For more information on Amazon Simple Notification Service (Amazon SNS) topics, see Creating an Amazon SNS topic.

You can create multiple alarms for a single metric. For example, you might choose to set up two additional alarms: five days to CRL expiry and one day to CRL expiry. If the administrator misses the ten-day warning notification, they still get notified by the five-day and the one-day alarms. The administrator updates the list of revoked certificates, generates a new CRL file (PEM format), and uploads it to the Client VPN endpoint.

Generate a new CRL

Note: If you receive errors when you run the AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

For Easy-RSA certificate authorities:

  1. Generate a new CRL using the following command:

    ./easyrsa gen-crl
  2. Then, import the CRL to the Client VPN endpoint.

  3. Or, use the following AWS CLI command to update the CRL on the Client VPN endpoint:

    aws ec2 import-client-vpn-client-certificate-revocation-list --certificate-revocation-list file://crl.pem --client-vpn-endpoint-id your_endpoint_id --region your_region

    Note: Replace your_endpoint_id with your Client VPN endpoint ID and your_region with the Region where the Client VPN's located.

Related information

Client certificate revocation lists

Create a CloudWatch alarm based on a static threshold

What is Amazon CloudWatch?

AWS OFFICIALUpdated 5 months ago