- 최신
- 최다 투표
- 가장 많은 댓글
James, If you want to use customer-managed certificates with AWS Site-to-Site VPN instead of AWS Private CA, you can generate the certificates using OpenSSL and then import them into AWS Certificate Manager (ACM). Here's a basic set of steps using OpenSSL:
Step 1: Generate CA Key and Certificate
# Generate CA private key
openssl genpkey -algorithm RSA -out ca-key.pem
# Generate CA certificate
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem
Step 2: Generate VPN Gateway Key and Certificate Signing Request (CSR)
# Generate VPN Gateway private key
openssl genpkey -algorithm RSA -out vpn-key.pem
# Generate VPN Gateway CSR
openssl req -new -key vpn-key.pem -out vpn-csr.pem
Step 3: Sign the VPN Gateway CSR with the CA
# Sign the VPN Gateway CSR with the CA
openssl x509 -req -in vpn-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -out vpn-cert.pem -CAcreateserial
Step 4: Import Certificates to ACM
Now, you need to import the CA certificate (ca-cert.pem) and the VPN Gateway certificate (vpn-cert.pem) into AWS Certificate Manager:
- Go to the AWS Certificate Manager console: https://console.aws.amazon.com/acm/
- Click on "Import a certificate."
- Copy and paste the contents of ca-cert.pem into the "Certificate body" field.
- Copy and paste the contents of vpn-cert.pem into the "Certificate chain" field.
Step 5: Create Customer Gateway in AWS Console
- In the AWS Management Console, navigate to the VPC Dashboard.
- In the left sidebar, click on "Customer Gateways" and then click "Create Customer Gateway."
- Fill in the necessary information, and for "Certificate ARN," choose the ARN of the certificate you imported from ACM.
Additional Considerations:
- Ensure that the key length and algorithms meet AWS VPN requirements.
- Double-check the certificate and key format and ensure they are in PEM format.
- Verify that the certificate chain is provided correctly during ACM import.
- AWS ACM might have specific requirements, so it's important to review AWS documentation and make sure the certificates meet those requirements.
Remember to replace placeholder names like ca-key.pem, vpn-key.pem, etc., with your desired filenames. This example assumes you're using a simple RSA algorithm; adjust as needed based on your security requirements. Always follow best practices for key management and security when dealing with certificates.
Take a look at this Knowledge center article: https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site
The knowledge center article "How do use AWS Site-to-Site VPN to create a certificate-based VPN?" doesn't explain how to create a site-to-site VPN using a customer-managed self-signed cert. In fact, it explicitly says that it's not supported: "Note: You can't use an external self-signed certificate for Site-to-Site VPN."
The problem is that you have to use certs with site-to-site VPN to get active/active failover, and Amazon seems to be saying that you need to use AWS Private CA if you want to use certs with site-to-site VPN. But AWS Private CA is cost-prohibitive for small businesses. It would be great if AWS could provide a cost-effective solution for site-to-site VPN with active/active failover that doesn't require use of AWS Private CA.
Renato, so using your instructions above, when I try and create the Customer Gateway in AWS Console using the ARN of the certificate I imported from ACM, I get an error in red at the top of the screen saying "There was an error creating your customer gateway: The Certificate ARN is not a Private Certificate".
James
관련 콘텐츠
- AWS 공식업데이트됨 9달 전
- AWS 공식업데이트됨 7달 전
- AWS 공식업데이트됨 2년 전
Renato, could you comment on the issue where when I try and create the Customer Gateway using the ARN of the certificate I imported from ACM, I get an error "The Certificate ARN is not a Private Certificate".