Hi Ashutosh, I recreated the entire environment in my lab and I can confirm that what we already discussed should work.
In my case, as Certificate Authority to create both Server and Client certificates I used AWS Private CA, but again, you can use any Certificate Authority you like, better if used o generate both client and server certificates.
One thing that I missed during the various steps, is that client certificates needs either to be generated with the nopass command, or when exported (in my case from ACM) then you need to decrypt the private key before pasting it into the vpn client configuration file, otherwise the client would not be able to connect.
After all of this, in the Connection pane of the VPN endpoint you will see the client name in the Common Name column.
Can I ask what are you using to generate the server and client certificates ?
Hi Ashutosh, the only way to make that happen is to create a different client certificate for every client you want to connect:
client1.domain.tld client2.domain.tld client3.domain.tld
That should allow you to both recognize them in the connection tab and also to be able to revoke a specific client certificate if you need to.
Are you already doing this ?
Hi Ashutosh, I might be missing some bits here, however, if you want multiple users to connect to the same Client VPN Endpoint using Mutual Authentication, and being able to see them in the connection tab, you do need a different client certificate for each of them, but one single server certificate in use for the endpoint is enough.
There is a good article here that actually explains how to achieve it:
How can I configure multiple users to use the same Client VPN endpoint? https://repost.aws/knowledge-center/client-vpn-multiple-users-same-endpoint
The Client VPN Endpoint allows to specify only one single server certificate. You can change it if you like, but still, as far as I know, only one would be in use at any given time.
Can I ask you why you would like to have different server certificates ?
Hi Ashutosh, are the Server Certificate and Client Certificate generated from the same Certificate Authority ?
If not, you have to upload to ACM the Client certificate as well.
If the CA is the same for both Client and Server, in the Client VPN endpoint configuration you have to specify the server certificate ARN for the client certificate filed as well
Hi Ashutosh, You said:
"when i generate like this client1.domain.tld client2.domain.tld client3.domain.tld and try to paste in configuration file i am not able to make connection with vpn"
Just to be on the safe side, every client needs to have its own certificate and its own configuration file. If you successfully created the certificate and the configuration file for client1, then you simply have to repeat the same process for client 2 and client 3, always starting from the configuration file template you can download from the Client VPN Endpoint in the AWS Console, and adding the <cert></cert> and <key></key> sections, after the <ca></ca> section, with the specific certificate and key you generated for the client.
Are you using easy-rsa to generate certificates ? If so, AWS documentation describe the step by step process to create both server and client certificates using east-rsa here: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/mutual.html
Lastly, when you created the client VPN Endpoint configuration in the AWS console, what certificate did you select in the section "Client certificate ARN" ? If all your certificates, client and server, are generated from the same CA, here you need to specify again the SERVER certificate:
*Client certificate ARN If the server and client certificates are signed by the same certificate authority (CA), you have the option of specifying the server certificate ARN for both the client and server certificates. In this scenario, any client certificate that corresponds with the server certificate can be used to authenticate. *
Please note that this is somethign you cannot modify in an existing Client VPN Endpoint, but you are able to verify in the configuration details if you actually specified the same certificate for both "Server Certificate ARN" and "Client Certificate ARN". If you find that those are different, you need to delete/recreate the existing endpoint, or to create a new one.
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago