- Newest
- Most votes
- Most comments
The knowledge center article "How do use AWS Site-to-Site VPN to create a certificate-based VPN?" doesn't explain how to create a site-to-site VPN using a customer-managed self-signed cert. In fact, it explicitly says that it's not supported: "Note: You can't use an external self-signed certificate for Site-to-Site VPN."
The problem is that you have to use certs with site-to-site VPN to get active/active failover, and Amazon seems to be saying that you need to use AWS Private CA if you want to use certs with site-to-site VPN. But AWS Private CA is cost-prohibitive for small businesses. It would be great if AWS could provide a cost-effective solution for site-to-site VPN with active/active failover that doesn't require use of AWS Private CA.
James, If you want to use customer-managed certificates with AWS Site-to-Site VPN instead of AWS Private CA, you can generate the certificates using OpenSSL and then import them into AWS Certificate Manager (ACM). Here's a basic set of steps using OpenSSL:
Step 1: Generate CA Key and Certificate
# Generate CA private key
openssl genpkey -algorithm RSA -out ca-key.pem
# Generate CA certificate
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem
Step 2: Generate VPN Gateway Key and Certificate Signing Request (CSR)
# Generate VPN Gateway private key
openssl genpkey -algorithm RSA -out vpn-key.pem
# Generate VPN Gateway CSR
openssl req -new -key vpn-key.pem -out vpn-csr.pem
Step 3: Sign the VPN Gateway CSR with the CA
# Sign the VPN Gateway CSR with the CA
openssl x509 -req -in vpn-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -out vpn-cert.pem -CAcreateserial
Step 4: Import Certificates to ACM
Now, you need to import the CA certificate (ca-cert.pem) and the VPN Gateway certificate (vpn-cert.pem) into AWS Certificate Manager:
- Go to the AWS Certificate Manager console: https://console.aws.amazon.com/acm/
- Click on "Import a certificate."
- Copy and paste the contents of ca-cert.pem into the "Certificate body" field.
- Copy and paste the contents of vpn-cert.pem into the "Certificate chain" field.
Step 5: Create Customer Gateway in AWS Console
- In the AWS Management Console, navigate to the VPC Dashboard.
- In the left sidebar, click on "Customer Gateways" and then click "Create Customer Gateway."
- Fill in the necessary information, and for "Certificate ARN," choose the ARN of the certificate you imported from ACM.
Additional Considerations:
- Ensure that the key length and algorithms meet AWS VPN requirements.
- Double-check the certificate and key format and ensure they are in PEM format.
- Verify that the certificate chain is provided correctly during ACM import.
- AWS ACM might have specific requirements, so it's important to review AWS documentation and make sure the certificates meet those requirements.
Remember to replace placeholder names like ca-key.pem, vpn-key.pem, etc., with your desired filenames. This example assumes you're using a simple RSA algorithm; adjust as needed based on your security requirements. Always follow best practices for key management and security when dealing with certificates.
Renato, could you comment on the issue where when I try and create the Customer Gateway using the ARN of the certificate I imported from ACM, I get an error "The Certificate ARN is not a Private Certificate".
Renato, so using your instructions above, when I try and create the Customer Gateway in AWS Console using the ARN of the certificate I imported from ACM, I get an error in red at the top of the screen saying "There was an error creating your customer gateway: The Certificate ARN is not a Private Certificate".
James
Confirming that I have run into the same roadblock. Terribly disappointing as we went through a cert request process with one of our partners to generate a cert using their CA.
You cannot create a certificate body and certificate chain without a key value.....
Relevant content
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
I'll go a step further, our partners require that we use THEIR CA to sign certificates for our VPN connectivity to them. AWS Managed Certificate Authority wouldn't work for us even it was free, which it isn't. We're the "little fish" in this arrangement so there is no chance that they will add our CA to their trust store.
FYI to others: The invalid certificate we imported shows up in the drop-down as an option for the Customer Gateway configuration. We pre-staged the certificate, validated its presence in the Customer Gateway UI and only discovered the issue just before test/turn-up.