Site-to-site VPN with customer-managed certs

James, If you want to use customer-managed certificates with AWS Site-to-Site VPN instead of AWS Private CA, you can generate the certificates using OpenSSL and then import them into AWS Certificate Manager (ACM). Here's a basic set of steps using OpenSSL:

Step 1: Generate CA Key and Certificate

# Generate CA private key
openssl genpkey -algorithm RSA -out ca-key.pem

# Generate CA certificate
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem

Step 2: Generate VPN Gateway Key and Certificate Signing Request (CSR)

# Generate VPN Gateway private key
openssl genpkey -algorithm RSA -out vpn-key.pem

# Generate VPN Gateway CSR
openssl req -new -key vpn-key.pem -out vpn-csr.pem

Step 3: Sign the VPN Gateway CSR with the CA

# Sign the VPN Gateway CSR with the CA
openssl x509 -req -in vpn-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -out vpn-cert.pem -CAcreateserial

Step 4: Import Certificates to ACM

Now, you need to import the CA certificate (ca-cert.pem) and the VPN Gateway certificate (vpn-cert.pem) into AWS Certificate Manager:

• Go to the AWS Certificate Manager console: https://console.aws.amazon.com/acm/
• Click on "Import a certificate."
• Copy and paste the contents of ca-cert.pem into the "Certificate body" field.
• Copy and paste the contents of vpn-cert.pem into the "Certificate chain" field.

Step 5: Create Customer Gateway in AWS Console

• In the AWS Management Console, navigate to the VPC Dashboard.
• In the left sidebar, click on "Customer Gateways" and then click "Create Customer Gateway."
• Fill in the necessary information, and for "Certificate ARN," choose the ARN of the certificate you imported from ACM.

Additional Considerations:

• Ensure that the key length and algorithms meet AWS VPN requirements.
• Double-check the certificate and key format and ensure they are in PEM format.
• Verify that the certificate chain is provided correctly during ACM import.
• AWS ACM might have specific requirements, so it's important to review AWS documentation and make sure the certificates meet those requirements.

Remember to replace placeholder names like ca-key.pem, vpn-key.pem, etc., with your desired filenames. This example assumes you're using a simple RSA algorithm; adjust as needed based on your security requirements. Always follow best practices for key management and security when dealing with certificates.

Take a look at this Knowledge center article: https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site

The knowledge center article "How do use AWS Site-to-Site VPN to create a certificate-based VPN?" doesn't explain how to create a site-to-site VPN using a customer-managed self-signed cert. In fact, it explicitly says that it's not supported: "Note: You can't use an external self-signed certificate for Site-to-Site VPN."

The problem is that you have to use certs with site-to-site VPN to get active/active failover, and Amazon seems to be saying that you need to use AWS Private CA if you want to use certs with site-to-site VPN. But AWS Private CA is cost-prohibitive for small businesses. It would be great if AWS could provide a cost-effective solution for site-to-site VPN with active/active failover that doesn't require use of AWS Private CA.

Renato, so using your instructions above, when I try and create the Customer Gateway in AWS Console using the ARN of the certificate I imported from ACM, I get an error in red at the top of the screen saying "There was an error creating your customer gateway: The Certificate ARN is not a Private Certificate".

James

You cannot create a certificate body and certificate chain without a key value.....