How can I generate server and client certificates and their respective keys on a Windows server and upload them to ACM?

Last updated: 2020-04-10

How can I generate server and client certificates and their respective keys on a Windows server and upload them to AWS Certificate Manager (ACM)?

Resolution

Generate the server and client certificates and their respective keys

1.    Go to the OpenVPN Community Downloads page.

2.    Select the Windows Installer (.exe) file for the Windows OS version that you're running. Then, choose Run.

3.    Complete the OpenVPN Setup Wizard:
       Choose Next.
       Review the license agreement, and then choose I Agree.
       For Choose Components, select EasyRSA 2 Certificate Management Scripts.
       Choose Next, and then choose Install.

4.    After the OpenVPN software is installed, open a command prompt and navigate to the easy-rsa folder:

cd \Program Files\OpenVPN\easy-rsa

5.    Start the OpenVPN configuration:

init-config

6.    Open the vars.bat file in a text editor:

notepad vars.bat 

Set KEY_Size=2048. Then, set values for KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL. Don’t leave any of these parameters blank.

Save and close your text editor.

7.    Run the following commands to set the above variables for the certificate authority (CA) certificate, initialize the public key infrastructure (PKI), and build the CA certificate:

vars
clean-all
build-ca

At the prompt, leave all fields as the default values. Optionally, you can change the Common Name to your server's domain name.

8.    Run the following command to generate a certificate and private key for the server:

build-key-server server

At the prompt, change the Common Name to your server's domain name using the format server.example.com. Leave all of the remaining fields as the default values.

9.    Run the following command to generate a certificate and private key for the client:

build-key client1

At the prompt, change the Common Name to your client's domain name using the format client1.example.com. Leave all of the remaining fields as the default values.

10.    (Optional) If needed, create additional client certificates and keys.

build-key client2

At the prompt, change the Common Name to your client's domain name using the format client2.example.com. Leave all of the remaining fields as the default values.

Important: If you don't follow the format specified above for setting common names, the domain names aren't available when you import the certificate into ACM. As a result, the certificate isn't an available option for specifying the server certificate or client certificate when you create the AWS Client VPN endpoint.

Import the server and client certificates and keys into ACM

Note: The server and client certificates, and their respective keys, are available in C:\Program Files\OpenVPN\easy-rsa\keys.

1.    Open the following files: server.crtserver.keyclient1.crtclient1.key, and ca.crt.

2.    Open the ACM console, and then choose Import a certificate.

3.    On the Import a certificate page, copy/paste the content:
       From the server.crt file to Certificate body.
       From the server.key file to Certificate private key.   
       From the ca.crt file to Certificate chain.     

4.    Choose Import to import the server certificate.

5.    Choose Import a certificate again and copy/paste the content:                 
       From the client1.crt file to Certificate body.
       From the client1.key file to Certificate private key.     
       From the ca.crt file to Certificate chain.        

6.    Choose Import to import the client certificate.

Or, you can use the AWS Command Line Interface (AWS CLI) to import the server and client certificates and their keys into ACM:

cd C:\Program Files\OpenVPN\easy-rsa\keys
aws acm import-certificate --certificate file://"C:\Program Files\OpenVPN\easy-rsa\keys\server.crt" --private-key file://"C:\Program Files\OpenVPN\easy-rsa\keys\server.key" --certificate-chain file://"C:\Program Files\OpenVPN\easy-rsa\keys\ca.crt"
aws acm import-certificate --certificate file://"C:\Program Files\OpenVPN\easy-rsa\keys\client1.crt" --private-key file://"C:\Program Files\OpenVPN\easy-rsa\keys\client1.key" --certificate-chain file://"C:\Program Files\OpenVPN\easy-rsa\keys\ca.crt"

Confirm that you have successfully created and imported your server and client certificates

1.    Open the ACM console.

2.    In the certificates list, confirm that Issued displays in the Status column for your server and client certificates.


Mutual Authentication (for AWS Client VPN)

Did this article help you?

Anything we could improve?


Need more help?