使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

AWS Certificate Manager

0

Hi, after creating the certificate for AWS client VPN for Mac users and while importing it to AWS Certificate Manager, the domain name is blank. It is not auto populating. What may be the reason behind this?

  • Max Clements 專家
    2 個月前

    Please tell us how you created the server certificate that you imported - and give us the output of openssl x509 -inform pem -in <cert> -noout -text so we can see what the attributes of the certiicate are.

主題
安全性、身分識別與合規網路與內容交付
標籤
AWS Certificate ManagerAWS Client VPN
語言
English
riri
已提問 2 個月前檢視次數 162 次
1 個回答
0

I assume that you are referring to the step where you create a certificate for the server using EasyRSA?

./easyrsa build-server-full server nopass

If create a server certificate this way - it will set the common name of the certificate to Subject: CN=server. When you then import this into ACM the domain name will be blank. You can see this if I describe the certicicate I produced and imported into ACM:

 % aws acm describe-certificate --certificate-arn 'arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2' --region eu-central-1
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:eu-central-1:xxxxxxxxxxxx:certificate/27ba7679-7578-4c94-XXXX-683479fb6ac2",
        "SubjectAlternativeNames": [],
        "Serial": "3b:ec:78:83:0c:0c:d5:79:5f:46:11:14:29:XX:XX:XX",
        "Subject": "CN=server",
        "Issuer": "vpn.gbit.ca",
        "CreatedAt": "2024-03-27T10:57:24.560000+01:00",
        "ImportedAt": "2024-03-27T10:57:24.573000+01:00",
        "Status": "ISSUED",
        "NotBefore": "2024-03-27T10:48:44+01:00",
        "NotAfter": "2026-06-30T11:48:44+02:00",
        "KeyAlgorithm": "RSA-2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "Type": "IMPORTED",
        "KeyUsages": [
            {
                "Name": "DIGITAL_SIGNATURE"
            },
            {
                "Name": "KEY_ENCIPHERMENT"
            }
        ],
        "ExtendedKeyUsages": [
            {
                "Name": "TLS_WEB_SERVER_AUTHENTICATION",
                "OID": "1.3.6.1.5.5.7.3.1"
            }
        ],
        "RenewalEligibility": "INELIGIBLE",
        "Options": {
            "CertificateTransparencyLoggingPreference": "DISABLED"
        }
    }
}

As you can see the common name is just a name server and it has no domain portion.

If you are creating a server certificate for ClientVPN - include a fully qualified name in the call - for instance:

./easyrsa build-server-full vpn.example.com nopass

This will create a server certificate that contains the common name vpn.example.com and when you import it the domain portion in ACM will not be blank.

AWS
專家
Max Clements
已回答 1 個月前
profile picture
專家
Giovanni Lauria
已審閱 1 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容