How do I create and connect to a Client VPN endpoint using private certificates for mutual authentication with AWS Certificate Manager?

2 minute read

I want to create and connect to an AWS Client VPN endpoint using private certificates for mutual authentication with AWS Certificate Manager (ACM). How can I do this?

Short description

With Client VPN, there are several options for configuring client authentication. One of these options is mutual authentication, which is a type of certificate-based authentication. These certificates can be self-signed or generated using ACM. To create private digital certificates using ACM and AWS Certificate Manager Private Certificate Authority, complete the following steps.


1.    Using ACM, create a private CA. If needed, you can also create a subordinate CA (optional).

2.    Using the private CA that you created in the previous step, generate private certificates for your server and client.

3.    Using the certificates that created in the previous step, create an AWS Client VPN endpoint.

4.    Export the client certificate that you created in step 2. After you are prompted for a passphrase, you receive a client certificate body, certificate chain, and certificate private key.

5.    Decrypt the private key with the passphrase that you specified in step 4. You can decrypt the private key by running the following command in OpenSSL libraries:

[ec2-user@ip-172-20-20-14 ~]$ openssl rsa -in private_key.txt -out decrypted_private_key.txt
Enter pass phrase for private_key.txt: YOUR_PASSPHRASE

writing RSA key

Note: Be sure to replace YOUR_PASSPHRASE with your custom passphrase.

6.    Download and prepare the Client VPN endpoint configuration file. The client certificate and key values required to prepare the configuration file are provided in the client certificate that you exported in the previous step.

7.    Find the decrypted_private_key.txt file from your decrypted private key in step 5. Add the contents of this file along with the contents of the client certificate body to the Client VPN configuration file.

8.    Export and configure the client configuration file.

9.    Connect to the Client VPN endpoint using any OpenVPN-based or the AWS Client VPN desktop application.

AWS OFFICIALUpdated 2 years ago