What Username do AWS VPN Client need when using password-encrypted private key certificate?

I am using the aws vpn client for macos. I had the same client connection behavior, a popup asking for username/password for an endpoint configured for mutual tls. I used the same ACM-created server cert as the client cert, as it was a POC. (I would think an ACM-created client cert will work just fine.) The root cause was that I had not decrypted the private key with the passphrase. After downloading from the ACM, run this: openssl rsa -in private_key.txt -out decrypted_private_key.txt. Then cat the decrypted file and put it's contents in the client config file <key> </key> block.

I have the same behavior. What worked for me was to decrypt de private key with : openssl rsa -in private_key.txt -out decrypted_private_key.txt and put the content of decrypted_private_key.txt into <key></key> of the vpn client config file.

Hello there

Client VPN offers the following types of client authentication:

-Active Directory authentication (user-based)
-Mutual authentication (certificate-based)
-Single sign-on (SAML-based federated authentication) (user-based)
         

You will only be prompted for username/password if you are using user based authentication methods (AD or SAML)

With Active Directory authentication, clients are authenticated against existing Active Directory groups ,so clients have to enter credentials for existing AD groups.For SAML, the credentials are stored by their IdPs.

I would like to mention that using ACM and ACM Private CA for mutual authentication isn't currently supported for use with the AWS provided client for the Client VPN application[2].However you can connect using any other OpenVPN-based client application.

Reference:

[1]https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html

[2]https://aws.amazon.com/premiumsupport/knowledge-center/client-vpn-authenticate-private-ca-acm/

The above solutions work! Thanks to those who provided the fixes above.

However, they require distributing unencrypted key material in the configuration file, making life harder for admins of small projects that don't have AD or SAML built yet. Tunnelblick has no problem supporting encrypted secrets, why not the AWS VPN Client?