使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

AWS Certificate Manager

0

Hi, after creating the certificate for AWS client VPN for Mac users and while importing it to AWS Certificate Manager, the domain name is blank. It is not auto populating. What may be the reason behind this?

  • Max Clements 专家
    2 个月前

    Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.

主题
安全、身份和合规性网络和内容交付
标签
AWS 证书管理器AWS Client VPN
语言
English
riri
已提问 2 个月前163 查看次数
1 回答
0

I assume that you are referring to the step where you create a certificate for the server using EasyRSA?

./easyrsa build-server-full server nopass

If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:

 % aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
        "SubjectAlternativeNames": [],
        "Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
        "Subject": "CN=server",
        "Issuer": "vpn.gbit.ca",
        "CreatedAt": "2024-03-27T10:57:24.560000+01:00",
        "ImportedAt": "2024-03-27T10:57:24.573000+01:00",
        "Status": "ISSUED",
        "NotBefore": "2024-03-27T10:48:44+01:00",
        "NotAfter": "2026-06-30T11:48:44+02:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "IMPORTED",
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            }
        ],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "DISABLED"
        }
    }
}

As you can see the common name is just a name server and it has no domain portion.

If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:

./easyrsa build-server-full vpn.example.com nopass

This will create a server certificate that contains the common name vpn.example.com and when you import it the domain portion in ACM will not be blank.

AWS
专家
Max Clements
已回答 2 个月前
profile picture
专家
Giovanni Lauria
已审核 2 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容