AWS Client VPN Endpoint, AWS Private CA & AWS Certificate Manager

0

Hello Friends,

I have set up a Private CA on AWS that issues certificates for the Client VPN endpoint. The authentication method for client VPN endpoint is certificate-based.

Currently, the Private CA does not have revocation configured. I plan to enable CRL-based revocation, with the CRL files to be stored in an S3 bucket.

  1. Since both the Client VPN endpoint and the Private CA are within AWS, is it necessary to create a CloudFront distribution for the S3 bucket, as mentioned in these articles: https://aws.amazon.com/blogs/security/how-to-securely-create-and-store-your-crl-for-acm-private-ca/ and https://docs.aws.amazon.com/privateca/latest/userguide/crl-planning.html?

  2. Will the Client VPN endpoint have direct access to the S3 bucket to retrieve the CRL, or do we need to adjust the S3 bucket policy? Alternatively, will a CloudFront distribution be required as reference in point 1 articles?

  3. Once CRL is enabled on the AWS Private CA, any new certificates issued can be revoked per this article https://repost.aws/knowledge-center/acm-revoke-private-certificate. By importing the client certificate CRL (similar to https://repost.aws/knowledge-center/client-vpn-revoke-access-specific-client though article is not based on Private CA) into the Client VPN, users with revoked certificates should no longer be able to connect.

  4. How can certificates issued before CRL revocation was implemented in Private CA be prevented from connecting to the Client VPN prior to certificate validity expiry?

  5. If we use OCSP instead of CRL with the Private CA for revocation, can we still achieve the same to issue & revoke certificates for client VPN and will it work with client VPN endpoint?

  6. Given that all services and resources are within AWS, except for the external users connecting to the Client VPN, which option would you recommend: CRL or OCSP?

I appreciate any suggestions or insights you may have on this matter.

1 Answer
0

Hi there! I will start answering some of your questions - let me know, please, if I omitted some. I do not think that publishing CRL into an S3 bucket and exposing it/using Cloudfront is necessary for your use-case.

This blog describes a way to integrate AWS Private CA with AWS Client VPN, where a revoked certificate will get immediately "known" to a client VPN - that is, a client which certificate has been added to CRL , will not be able to connect over VPN anymore.

IMPORTANT! Once CRL is imported, as it has an expiry date, ensure that CRL gets refreshed BEFORE the expiry date, otherwise SSL handshake from all client will fail due an expired CRL (see blog above for details). Consider testing the whole workflow on a test Client VPN Endpoint and only then implement in production.

profile pictureAWS
AWSAmir
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions