- Newest
- Most votes
- Most comments
Hi there! I will start answering some of your questions - let me know, please, if I omitted some. I do not think that publishing CRL into an S3 bucket and exposing it/using Cloudfront is necessary for your use-case.
This blog describes a way to integrate AWS Private CA with AWS Client VPN, where a revoked certificate will get immediately "known" to a client VPN - that is, a client which certificate has been added to CRL , will not be able to connect over VPN anymore.
IMPORTANT! Once CRL is imported, as it has an expiry date, ensure that CRL gets refreshed BEFORE the expiry date, otherwise SSL handshake from all client will fail due an expired CRL (see blog above for details). Consider testing the whole workflow on a test Client VPN Endpoint and only then implement in production.
Relevant content
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago