How do I create and connect to a Client VPN endpoint using private certificates for mutual authentication with AWS Certificate Manager?

2 minute read

I want to create and connect to an AWS Client VPN endpoint using private certificates for mutual authentication with AWS Certificate Manager (ACM). How can I do this?

Short description

With Client VPN, there are several options for configuring client authentication. One of these options is mutual authentication, which is a type of certificate-based authentication. These certificates can be self-signed or generated using ACM. To create private digital certificates using ACM and AWS Certificate Manager Private Certificate Authority, complete the following steps.

Resolution

1. Using ACM, create a private CA. If needed, you can also create a subordinate CA (optional).

2. Using the private CA that you created in the previous step, generate private certificates for your server and client.

3. Using the certificates that created in the previous step, create an AWS Client VPN endpoint.

4. Export the client certificate that you created in step 2. After you are prompted for a passphrase, you receive a client certificate body, certificate chain, and certificate private key.

5. Decrypt the private key with the passphrase that you specified in step 4. You can decrypt the private key by running the following command in OpenSSL libraries:

[ec2-user@ip-172-20-20-14 ~]$ openssl rsa -in private_key.txt -out decrypted_private_key.txt
Enter pass phrase for private_key.txt: YOUR_PASSPHRASE

writing RSA key

Note: Be sure to replace YOUR_PASSPHRASE with your custom passphrase.

6. Download and prepare the Client VPN endpoint configuration file. The client certificate and key values required to prepare the configuration file are provided in the client certificate that you exported in the previous step.

7. Find the decrypted_private_key.txt file from your decrypted private key in step 5. Add the contents of this file along with the contents of the client certificate body to the Client VPN configuration file.

8. Export and configure the client configuration file.

9. Connect to the Client VPN endpoint using any OpenVPN-based or the AWS Client VPN desktop application.

Topics

Networking & Content Delivery

Relevant content

AWS Client VPN Certs
Accepted Answer
AWS-User-9221355
asked 4 years ago
Client VPN Endpoint Creation - Not Detecting Client Certificate in ACM
Accepted Answer
AWS-User-9164621
asked 4 years ago
Client VPN doesn't work suddently
blacktulip11
asked 6 months ago
AWS VPN Client - iOS authentication options
Sergei
asked 2 months ago
What Username do AWS VPN Client need when using password-encrypted private key certificate?
AWS-User-9318473
asked a year ago
How can I create a Client VPN endpoint using certificate-based authentication?
AWS OFFICIALUpdated 10 months ago
How do I create a certificate-based VPN using AWS Site-to-Site VPN?
AWS OFFICIALUpdated 3 years ago
How can I configure multiple users to use the same Client VPN endpoint?
AWS OFFICIALUpdated 10 months ago
How do I configure a Client VPN using the AWS CLI?
AWS OFFICIALUpdated 2 years ago
Using AWS Private Link for application integration
EXPERT
Tedy_T
published a year ago