By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Certificate Manager

0

Hi, after creating the certificate for AWS client VPN for Mac users and while importing it to AWS Certificate Manager, the domain name is blank. It is not auto populating. What may be the reason behind this?

  • Max Clements EXPERT
    a month ago

    Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
AWS Certificate ManagerAWS Client VPN
Language
English
riri
asked a month ago153 views
1 Answer
0

I assume that you are referring to the step where you create a certificate for the server using EasyRSA?

./easyrsa build-server-full server nopass

If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:

 % aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
        "SubjectAlternativeNames": [],
        "Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
        "Subject": "CN=server",
        "Issuer": "vpn.gbit.ca",
        "CreatedAt": "2024-03-27T10:57:24.560000+01:00",
        "ImportedAt": "2024-03-27T10:57:24.573000+01:00",
        "Status": "ISSUED",
        "NotBefore": "2024-03-27T10:48:44+01:00",
        "NotAfter": "2026-06-30T11:48:44+02:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "IMPORTED",
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            }
        ],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "DISABLED"
        }
    }
}

As you can see the common name is just a name server and it has no domain portion.

If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:

./easyrsa build-server-full vpn.example.com nopass

This will create a server certificate that contains the common name vpn.example.com and when you import it the domain portion in ACM will not be blank.

AWS
EXPERT
Max Clements
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content