By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Does AWS Client VPN support the use of AWS PCA Short Lived Mode Certificates?

0

I'd like to us https://docs.aws.amazon.com/privateca/latest/userguide/short-lived-certificates.html#short with AWS Client VPN Mutual authentication. Is this a supported configuration?

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Private Certificate AuthorityAWS Client VPN
Language
English
stromae
asked a month ago56 views
2 Answers
1

AWS Client VPN does not support the use of AWS Private Certificate Authority (PCA) Short-Lived Mode Certificates for mutual authentication. While AWS PCA offers a short-lived certificate mode that issues certificates with a maximum validity period of seven days, this feature is not compatible with AWS Client VPN.

For mutual authentication in AWS Client VPN, you need to use certificates that adhere to RFC 5280 and have a longer validity period. The certificates used for Client VPN must be uploaded to AWS Certificate Manager (ACM) and specified when creating the Client VPN endpoint.

It's important to note that AWS Certificate Manager cannot issue certificates signed by a private CA in short-lived mode. This limitation further prevents the use of short-lived certificates with AWS Client VPN.

For AWS Client VPN mutual authentication, you should use standard certificates with longer validity periods. You can create separate client certificates for each user connecting to the Client VPN endpoint, which allows you to revoke specific certificates if needed, such as when a user leaves your organization.

In summary, while short-lived certificates can be useful in certain scenarios, they are not a supported configuration for AWS Client VPN mutual authentication.
Sources
Understand AWS Private CA CA modes - AWS Private Certificate Authority
Mutual authentication in AWS Client VPN - AWS Client VPN

profile picture
re:Post Agent
answered a month ago
profile pictureAWS
EXPERT
Makendran G
reviewed 14 days ago
0

AWS Client VPN currently does not provide native support for AWS Private Certificate Authority (PCA) short-lived mode certificates.

Client VPN relies on certificates being imported into AWS Certificate Manager (ACM) for mutual authentication. Although AWS Private CA can issue short-lived certificates through API-based issuance, ACM does not currently automate the lifecycle management of short-lived certificates for Client VPN endpoints.

In practice, you could architect a custom workflow — periodically issuing short-lived certificates using AWS PCA APIs like IssueCertificate, and manually updating the Client VPN endpoint configuration. However, this approach would require significant automation effort and operational overhead, and it is not officially supported as a native Client VPN feature.

For production use cases, AWS recommends leveraging certificates issued through ACM (or ACM Private CA) with longer validity periods, which integrate seamlessly with Client VPN endpoints.

Reference: AWS Private CA Short-Lived Certificates

Manvitha Potluri
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content