Mutual authentication
With mutual authentication, Client VPN uses certificates to perform authentication between
the client and the server. Certificates are a digital form of identification issued by a
certificate authority (CA). The server uses client certificates to authenticate clients
when they attempt to connect to the Client VPN endpoint. You must create a server
certificate and key, and at least one client certificate and key.
You must
upload the server certificate to AWS Certificate Manager (ACM) and specify it when you create a Client VPN
endpoint. When you upload the server certificate to ACM, you also specify the
certificate authority (CA). You only need to upload the client certificate to ACM when
the CA of the client certificate is different from the CA of the server certificate. For
more information about ACM, see the AWS Certificate Manager User Guide.
You can create a separate client certificate and key for each client that will connect
to the Client VPN endpoint. This enables you to revoke a specific client certificate if a
user leaves your organization. In this case, when you create the Client VPN endpoint, you
can specify the server certificate ARN for the client certificate, provided that the
client certificate has been issued by the same CA as the server certificate.
A Client VPN endpoint supports 1024-bit and 2048-bit RSA key sizes only. Also, the
client certificate must have the CN attribute in the Subject field.
When the certificate being used by the Client VPN endpoint is updated, either through
ACM auto-rotation or manually importing a new certificate, the Client VPN service will
update the Client VPN endpoint with the newer certificate. However, this automated
process can take up to 24 hours.
- Linux/macOS
-
The following procedure uses OpenVPN easy-rsa to generate the server and
client certificates and keys, and then uploads the server certificate and
key to ACM. For more information, see the Easy-RSA 3 Quickstart README.
To generate the server and client certificates and keys and upload
them to ACM
-
Clone the OpenVPN easy-rsa repo to your local computer and
navigate to the easy-rsa/easyrsa3 folder.
$ git clone https://github.com/OpenVPN/easy-rsa.git
$ cd easy-rsa/easyrsa3
-
Initialize a new PKI environment.
$ ./easyrsa init-pki
-
To build a new certificate authority (CA), run this command and follow
the prompts.
$ ./easyrsa build-ca nopass
-
Generate the server certificate and key.
$ ./easyrsa build-server-full server nopass
-
Generate the client certificate and key.
Make sure to save the client certificate and the client private
key because you will need them when you configure the client.
$ ./easyrsa build-client-full client1.domain.tld nopass
You can optionally repeat this step for each client (end user)
that requires a client certificate and key.
-
Copy the server certificate and key and the client certificate and
key to a custom folder and then navigate into the custom
folder.
Before you copy the certificates and keys, create the custom
folder by using the mkdir command. The following
example creates a custom folder in your home directory.
$ mkdir ~/custom_folder/
$ cp pki/ca.crt ~/custom_folder/
$ cp pki/issued/server.crt ~/custom_folder/
$ cp pki/private/server.key ~/custom_folder/
$ cp pki/issued/client1.domain.tld.crt ~/custom_folder
$ cp pki/private/client1.domain.tld.key ~/custom_folder/
$ cd ~/custom_folder/
-
Upload the server certificate and key and the client certificate
and key to ACM. Be sure to upload them in the same Region in which you
intend to create the Client VPN endpoint. The following commands use the AWS CLI
to upload the certificates. To upload the certificates using the ACM
console instead, see Import a certificate in the AWS Certificate Manager User Guide.
$ aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
$ aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
You do not necessarily need to upload the client certificate to
ACM. If the server and client certificates have been issued by the
same Certificate Authority (CA), you can use the server certificate
ARN for both server and client when you create the Client VPN endpoint.
In the steps above, the same CA has been used to create both
certificates. However, the steps to upload the client certificate
are included for completeness.
- Windows
-
The following procedure installs Easy-RSA 3.x software and uses it to
generate server and client certificates and keys.
To generate server and client certificates and keys and upload
them to ACM
-
Open the EasyRSA releases page and download the ZIP file for your version
of Windows and extract it.
-
Open a command prompt and navigate to the location that the EasyRSA-3.x
folder was extracted to.
Run the following command to open the EasyRSA 3 shell.
C:\Program Files\EasyRSA-3.x> .\EasyRSA-Start.bat
-
Initialize a new PKI environment.
# ./easyrsa init-pki
-
To build a new certificate authority (CA), run this command and follow
the prompts.
# ./easyrsa build-ca nopass
-
Generate the server certificate and key.
# ./easyrsa build-server-full server nopass
-
Generate the client certificate and key.
# ./easyrsa build-client-full client1.domain.tld nopass
You can optionally repeat this step for each client (end user)
that requires a client certificate and key.
-
Exit the EasyRSA 3 shell.
# exit
-
Copy the server certificate and key and the client certificate and
key to a custom folder and then navigate into the custom folder.
Before you copy the certificates and keys, create the custom
folder by using the mkdir command. The following
example creates a custom folder in your C:\ drive.
C:\Program Files\EasyRSA-3.x> mkdir C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\ca.crt C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\issued\server.crt C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\private\server.key C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\issued\client1.domain.tld.crt C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\private\client1.domain.tld.key C:\custom_folder
C:\Program Files\EasyRSA-3.x> cd C:\custom_folder
-
Upload the server certificate and key and the client certificate
and key to ACM. Be sure to upload them in the same Region in which
you intend to create the Client VPN endpoint. The following commands use
the AWS CLI to upload the certificates. To upload the certificates using the
ACM console instead, see Import a certificate in the AWS Certificate Manager User Guide.
aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
You do not necessarily need to upload the client certificate to
ACM. If the server and client certificates have been issued by the
same Certificate Authority (CA), you can use the server certificate
ARN for both server and client when you create the Client VPN endpoint.
In the steps above, the same CA has been used to create both
certificates. However, the steps to upload the client certificate
are included for completeness.
Renewing your server certificate
You can renew and import a server certificate that has expired with the following procedure.
-
Run the certificate renew command.
$ ./easyrsa renew server nopass
-
Create a custom folder, copy the new files to it, then navigate into the folder.
$ mkdir ~/custom_folder2
$ cp pki/ca.crt ~/custom_folder2/
$ cp pki/issued/server.crt ~/custom_folder2/
$ cp pki/private/server.key ~/custom_folder2/
$ cd ~/custom_folder2/
-
Import the new files to ACM. Be sure to import them in the same Region as the Client VPN endpoint.
$ aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
