AWS Client VPN - Certificate authentication


Hi Team.

I need to configure a Client VPN solution to connect my users to resources within a VPC. So, I would like to setup AWS Client VPN with certificate authentication, but according to documentation ( I need to upload server certificate to ACM, so I have some questions:

According to documentation, I could use easy-rsa to generate server and client certificates.

  1. but after generating server & client certificates, Could I delete or shutdown server (ec2) where I generated certificates?
  2. Does this server (ec2) need access to/from internet? or public domain? I mean ACM will need to connect to this server?
  3. Could I use windows CA server to generate my client certificates?
  4. Could I use ACM to generate my client certificates?
  5. If I have my CA provider, could I use it for generating client certificate? which type of certificate is necessary for AWS Client Vpn? or how can I request a SSL certificate to provider?

Thank you.

1 Answer

I have set this up before, so I will answer to my best..

  1. Techinically you can delete the EC2. However, you will not be able to issue any more client certifcates. You would need some where to create new client certs. This could be as simple as on a windows 11 desktop. It’s not the ec2 that’s needed it’s just an operating system to run the scripts some where. Also youll need this instance/easy-rsa folder to renew your CA and Server cert at a later date. Youll also need to track/update revoked certificates also and keep that file in a central place to update the VPN.
  2. No, its only used to generate certificates. You can stop it and power it up when you need to. You can also move the easy-rsa to cold storage like S3 or a local ZIP file. You can re-hydrate these files when needed again.
  3. I havent done it, but very likely you could. easy-rsa I believe just uses OPEN-SSL. So long as the certs are in the correct format, I do not see why not
  4. No, afraid you cant. They need to be signed by the CA that gets created. The only way I see this working is with an AWS Private CA and its quite expensive for this process.
  5. You need a CA certificate. You will not be able to get one. You need a CA cert thats allowed to sign/create server/client certs. This is why easy-rsa creats a CA cert from fresh thats private
profile picture
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions