En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

AWS Certificate Manager

0

Hi, after creating the certificate for AWS client VPN for Mac users and while importing it to AWS Certificate Manager, the domain name is blank. It is not auto populating. What may be the reason behind this?

  • Max Clements EXPERT
    il y a 2 mois

    Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.

Sujets
Sécurité, identité et conformitéRéseaux et diffusion de contenu
Balises
Gestionnaire de certificats AWSClient VPN AWS
Langue
English
riri
demandé il y a 2 mois163 vues
1 réponse
0

I assume that you are referring to the step where you create a certificate for the server using EasyRSA?

./easyrsa build-server-full server nopass

If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:

 % aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
        "SubjectAlternativeNames": [],
        "Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
        "Subject": "CN=server",
        "Issuer": "vpn.gbit.ca",
        "CreatedAt": "2024-03-27T10:57:24.560000+01:00",
        "ImportedAt": "2024-03-27T10:57:24.573000+01:00",
        "Status": "ISSUED",
        "NotBefore": "2024-03-27T10:48:44+01:00",
        "NotAfter": "2026-06-30T11:48:44+02:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "IMPORTED",
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            }
        ],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "DISABLED"
        }
    }
}

As you can see the common name is just a name server and it has no domain portion.

If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:

./easyrsa build-server-full vpn.example.com nopass

This will create a server certificate that contains the common name vpn.example.com and when you import it the domain portion in ACM will not be blank.

AWS
EXPERT
Max Clements
répondu il y a 2 mois
profile picture
EXPERT
Giovanni Lauria
vérifié il y a un mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents