AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

AWS Client VPN - Certificate authentication

0

Hi Team.

I need to configure a Client VPN solution to connect my users to resources within a VPC. So, I would like to setup AWS Client VPN with certificate authentication, but according to documentation (https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/mutual.html) I need to upload server certificate to ACM, so I have some questions:

According to documentation, I could use easy-rsa to generate server and client certificates.

  1. but after generating server & client certificates, Could I delete or shutdown server (ec2) where I generated certificates?
  2. Does this server (ec2) need access to/from internet? or public domain? I mean ACM will need to connect to this server?
  3. Could I use windows CA server to generate my client certificates?
  4. Could I use ACM to generate my client certificates?
  5. If I have my CA provider, could I use it for generating client certificate? which type of certificate is necessary for AWS Client Vpn? or how can I request a SSL certificate to provider?

Thank you.

주제
네트워킹 및 콘텐츠 전송보안, 신원 및 규정 준수
태그
네트워킹 및 콘텐츠 전송AWS 자격증 관리자AWS 클라이언트 VPN
언어
English
Orlando
질문됨 6달 전602회 조회
1개 답변
0

I have set this up before, so I will answer to my best..

  1. Techinically you can delete the EC2. However, you will not be able to issue any more client certifcates. You would need some where to create new client certs. This could be as simple as on a windows 11 desktop. It’s not the ec2 that’s needed it’s just an operating system to run the scripts some where. Also youll need this instance/easy-rsa folder to renew your CA and Server cert at a later date. Youll also need to track/update revoked certificates also and keep that file in a central place to update the VPN.
  2. No, its only used to generate certificates. You can stop it and power it up when you need to. You can also move the easy-rsa to cold storage like S3 or a local ZIP file. You can re-hydrate these files when needed again.
  3. I havent done it, but very likely you could. easy-rsa I believe just uses OPEN-SSL. So long as the certs are in the correct format, I do not see why not
  4. No, afraid you cant. They need to be signed by the CA that gets created. The only way I see this working is with an AWS Private CA and its quite expensive for this process.
  5. You need a CA certificate. You will not be able to get one. You need a CA cert thats allowed to sign/create server/client certs. This is why easy-rsa creats a CA cert from fresh thats private
profile picture
전문가
Gary Mclean
답변함 6달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠