How do I create and connect to a Client VPN endpoint using private certificates for mutual authentication with AWS Certificate Manager?

Last updated: 2021-02-22

I want to create and connect to an AWS Client VPN endpoint using private certificates for mutual authentication with AWS Certificate Manager (ACM). How can I do this?

Short description

With Client VPN, there are several options for configuring client authentication. One of these options is mutual authentication, which is a type of certificate-based authentication. These certificates can be self-signed or generated using ACM. To create private digital certificates using ACM and AWS Certificate Manager Private Certificate Authority, complete the following steps.

Resolution

Important: Using ACM and ACM Private CA for mutual authentication isn't currently supported for use with the AWS provided client for the Client VPN application. To connect to a Client VPN endpoint using the AWS provided client, see Connect using the AWS provided client.

  1. Using ACM, create a private CA. If needed, you can also create a subordinate CA (optional).
  2. Using the private CA that you created in the previous step, generate private certificates for your server and client.
  3. Using the certificates that created in the previous step, create an AWS Client VPN endpoint.
  4. Export the client certificate that you created in step 2.
  5. Download and prepare the Client VPN endpoint configuration file. The client certificate and key values required to prepare the configuration file are provided in the client certificate that you exported in the previous step.
  6. Export and configure the client configuration file.
  7. Connect to the Client VPN endpoint using any OpenVPN-based client application.

Did this article help?


Do you need billing or technical support?