- 최신
- 최다 투표
- 가장 많은 댓글
I assume that you are referring to the step where you create a certificate for the server using EasyRSA?
./easyrsa build-server-full server nopass
If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:
% aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
"Certificate": {
"CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
"SubjectAlternativeNames": [],
"Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
"Subject": "CN=server",
"Issuer": "vpn.gbit.ca",
"CreatedAt": "2024-03-27T10:57:24.560000+01:00",
"ImportedAt": "2024-03-27T10:57:24.573000+01:00",
"Status": "ISSUED",
"NotBefore": "2024-03-27T10:48:44+01:00",
"NotAfter": "2026-06-30T11:48:44+02:00",
"KeyAlgorithm": "RSA-2048",
"SignatureAlgorithm": "SHA256WITHRSA",
"InUseBy": [],
"Type": "IMPORTED",
"KeyUsages": [
{
"Name": "DIGITAL_SIGNATURE"
},
{
"Name": "KEY_ENCIPHERMENT"
}
],
"ExtendedKeyUsages": [
{
"Name": "TLS_WEB_SERVER_AUTHENTICATION",
"OID": "1.3.6.1.5.5.7.3.1"
}
],
"RenewalEligibility": "INELIGIBLE",
"Options": {
"CertificateTransparencyLoggingPreference": "DISABLED"
}
}
}
As you can see the common name is just a name server and it has no domain portion.
If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:
./easyrsa build-server-full vpn.example.com nopass
This will create a server certificate that contains the common name vpn.example.com and when you import it the domain portion in ACM will not be blank.
Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.