Site-to-site VPN with customer-managed certs

0

Can you provide instructions for using AWS site-to-site VPN with customer-managed certs rather than using AWS private CA?

Specifically, can you provide an example such as a set of "openssl" commands to generate the CA + certs that will be accepted by the Customer Gateway configuration? Whenever I try importing a cert via the AWS Certificate Manager and then try to select it in the Customer Gateway setup, I get obscure certificate validation errors. I wasn't able to find any documentation on how to do this.

Thanks, James

4 Answers
0

The knowledge center article "How do use AWS Site-to-Site VPN to create a certificate-based VPN?" doesn't explain how to create a site-to-site VPN using a customer-managed self-signed cert. In fact, it explicitly says that it's not supported: "Note: You can't use an external self-signed certificate for Site-to-Site VPN."

The problem is that you have to use certs with site-to-site VPN to get active/active failover, and Amazon seems to be saying that you need to use AWS Private CA if you want to use certs with site-to-site VPN. But AWS Private CA is cost-prohibitive for small businesses. It would be great if AWS could provide a cost-effective solution for site-to-site VPN with active/active failover that doesn't require use of AWS Private CA.

James
answered 9 months ago
  • I'll go a step further, our partners require that we use THEIR CA to sign certificates for our VPN connectivity to them. AWS Managed Certificate Authority wouldn't work for us even it was free, which it isn't. We're the "little fish" in this arrangement so there is no chance that they will add our CA to their trust store.

    FYI to others: The invalid certificate we imported shows up in the drop-down as an option for the Customer Gateway configuration. We pre-staged the certificate, validated its presence in the Customer Gateway UI and only discovered the issue just before test/turn-up.

0

James, If you want to use customer-managed certificates with AWS Site-to-Site VPN instead of AWS Private CA, you can generate the certificates using OpenSSL and then import them into AWS Certificate Manager (ACM). Here's a basic set of steps using OpenSSL:

Step 1: Generate CA Key and Certificate

# Generate CA private key
openssl genpkey -algorithm RSA -out ca-key.pem

# Generate CA certificate
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem

Step 2: Generate VPN Gateway Key and Certificate Signing Request (CSR)

# Generate VPN Gateway private key
openssl genpkey -algorithm RSA -out vpn-key.pem

# Generate VPN Gateway CSR
openssl req -new -key vpn-key.pem -out vpn-csr.pem

Step 3: Sign the VPN Gateway CSR with the CA

# Sign the VPN Gateway CSR with the CA
openssl x509 -req -in vpn-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -out vpn-cert.pem -CAcreateserial

Step 4: Import Certificates to ACM

Now, you need to import the CA certificate (ca-cert.pem) and the VPN Gateway certificate (vpn-cert.pem) into AWS Certificate Manager:

  • Go to the AWS Certificate Manager console: https://console.aws.amazon.com/acm/
  • Click on "Import a certificate."
  • Copy and paste the contents of ca-cert.pem into the "Certificate body" field.
  • Copy and paste the contents of vpn-cert.pem into the "Certificate chain" field.

Step 5: Create Customer Gateway in AWS Console

  • In the AWS Management Console, navigate to the VPC Dashboard.
  • In the left sidebar, click on "Customer Gateways" and then click "Create Customer Gateway."
  • Fill in the necessary information, and for "Certificate ARN," choose the ARN of the certificate you imported from ACM.

Additional Considerations:

  • Ensure that the key length and algorithms meet AWS VPN requirements.
  • Double-check the certificate and key format and ensure they are in PEM format.
  • Verify that the certificate chain is provided correctly during ACM import.
  • AWS ACM might have specific requirements, so it's important to review AWS documentation and make sure the certificates meet those requirements.

Remember to replace placeholder names like ca-key.pem, vpn-key.pem, etc., with your desired filenames. This example assumes you're using a simple RSA algorithm; adjust as needed based on your security requirements. Always follow best practices for key management and security when dealing with certificates.

profile pictureAWS
Renato
answered 9 months ago
  • Renato, could you comment on the issue where when I try and create the Customer Gateway using the ARN of the certificate I imported from ACM, I get an error "The Certificate ARN is not a Private Certificate".

0

Renato, so using your instructions above, when I try and create the Customer Gateway in AWS Console using the ARN of the certificate I imported from ACM, I get an error in red at the top of the screen saying "There was an error creating your customer gateway: The Certificate ARN is not a Private Certificate".

James

James
answered 9 months ago
  • Confirming that I have run into the same roadblock. Terribly disappointing as we went through a cert request process with one of our partners to generate a cert using their CA.

0

You cannot create a certificate body and certificate chain without a key value.....

Cees
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions