- Más nuevo
- Más votos
- Más comentarios
I assume that you are referring to the step where you create a certificate for the server using EasyRSA?
./easyrsa build-server-full server nopass
If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server
. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:
% aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
"Certificate": {
"CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
"SubjectAlternativeNames": [],
"Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
"Subject": "CN=server",
"Issuer": "vpn.gbit.ca",
"CreatedAt": "2024-03-27T10:57:24.560000+01:00",
"ImportedAt": "2024-03-27T10:57:24.573000+01:00",
"Status": "ISSUED",
"NotBefore": "2024-03-27T10:48:44+01:00",
"NotAfter": "2026-06-30T11:48:44+02:00",
"KeyAlgorithm": "RSA-2048",
"SignatureAlgorithm": "SHA256WITHRSA",
"InUseBy": [],
"Type": "IMPORTED",
"KeyUsages": [
{
"Name": "DIGITAL_SIGNATURE"
},
{
"Name": "KEY_ENCIPHERMENT"
}
],
"ExtendedKeyUsages": [
{
"Name": "TLS_WEB_SERVER_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.1"
}
],
"RenewalEligibility": "INELIGIBLE",
"Options": {
"CertificateTransparencyLoggingPreference": "DISABLED"
}
}
}
As you can see the common name is just a name server
and it has no domain portion.
If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:
./easyrsa build-server-full vpn.example.com nopass
This will create a server certificate that contains the common name vpn.example.com
and when you import it the domain portion in ACM will not be blank.
Contenido relevante
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año
Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.