Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

AWS Certificate Manager

0

Hi, after creating the certificate for AWS client VPN for Mac users and while importing it to AWS Certificate Manager, the domain name is blank. It is not auto populating. What may be the reason behind this?

  • Max Clements ESPERTO
    2 mesi fa

    Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.

Argomenti
Sicurezza, identità e conformitàNetworking e distribuzione di contenuti
Tag
Gestore certificati AWSVPN per clienti AWS
Lingua
English
riri
posta 2 mesi fa162 visualizzazioni
1 Risposta
0

I assume that you are referring to the step where you create a certificate for the server using EasyRSA?

./easyrsa build-server-full server nopass

If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:

 % aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
        "SubjectAlternativeNames": [],
        "Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
        "Subject": "CN=server",
        "Issuer": "vpn.gbit.ca",
        "CreatedAt": "2024-03-27T10:57:24.560000+01:00",
        "ImportedAt": "2024-03-27T10:57:24.573000+01:00",
        "Status": "ISSUED",
        "NotBefore": "2024-03-27T10:48:44+01:00",
        "NotAfter": "2026-06-30T11:48:44+02:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "IMPORTED",
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            }
        ],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "DISABLED"
        }
    }
}

As you can see the common name is just a name server and it has no domain portion.

If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:

./easyrsa build-server-full vpn.example.com nopass

This will create a server certificate that contains the common name vpn.example.com and when you import it the domain portion in ACM will not be blank.

AWS
ESPERTO
Max Clements
con risposta 2 mesi fa
profile picture
ESPERTO
Giovanni Lauria
verificato un mese fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente