AWS Client VPN – Certificates (Quick Explanation)

This README explains certificates used by AWS Client VPN in a simple and concise way.

---

🔐 Why Certificates Are Required

AWS Client VPN uses mutual TLS (mTLS) authentication.

This means:

• The client verifies the VPN server
• The VPN server verifies the client
• Trust is established using certificates signed by the same Certificate Authority (CA)

---

📜 Certificate Types

1️⃣ Root Certificate (Certificate Authority – CA)

• The trust anchor
• Signs both server and client certificates
• Uploaded to AWS Certificate Manager (ACM)
• AWS trusts any certificate signed by this CA

Purpose:

Establishes trust

---

2️⃣ Server Certificate

• Used by the AWS Client VPN endpoint
• Proves the identity of the VPN server
• Signed by the CA
• Uploaded to ACM
• Attached when creating the Client VPN endpoint

Purpose:

Confirms the VPN server is legitimate

---

3️⃣ Client Certificate

• Installed on the user’s device
• Proves the client is allowed to connect
• Signed by the same CA
• Included in the .ovpn configuration file
• Private key never leaves the client

Purpose:

Grants access to the VPN

---

---

✅ Key Rules

• All certificates must be signed by the same CA
• CA certificate must be uploaded to ACM
• Client private keys must remain private
• Certificate-based auth does not use IAM users
• One CA can be used for multiple clients

---

🧠 One-Line Summary

CA = trust, Server certificate = VPN identity, Client certificate = access permission

---

🔄 Certificate Rotation (Best Practice)

• Rotate client certificates regularly
• Rotate server certificates before expiration
• Rotating the CA requires reissuing all certificates

---

📚 References

• https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
• https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html