How to import server or client certificate on AWS Certificate Manager (ACM)

AWS certificate manager (ACM) is certificate store we can either request a public ceritificate or import a certificate into ACM.

For several reasons we import the certificates into ACM and use it for client server mutual certificate based authentication. one of the example is when we setup AWS client VPN and one of the authentication method is mutual certificate authentication and we need to create and import the server/client certs into AWS.

Below is the steps how to create and upload a server/client certifiate into AWS ACM. Its using OpenVPN easy-rsa tool to create the cert and the keys.

Download the easy-rsa tool into your local computer and locate easy-rsa/easyrsa3 folder.

$ git clone https://github.com/OpenVPN/easy-rsa.git

$ cd easy-rsa/easyrsa3

Initialize new PKI environment. this will cleanup all existing CA, certs or keys inside easy-rsa folder. we would need to backup those before doing this.This will create new ca.crt and ca.key into the easyrsa3 folder.

$ ./easyrsa init-pki

Generate server certificate and the key. This will create server.crt and server.key into the easyrsa3 folder.

$ ./easyrsa build-server-full server nopass

Generate client certificate and key.

$ ./easyrsa build-client-full client1.domain.tld nopass

Copy the .crt and .key files into common folder and intiate aws cli comand to import the certificate into AWS ACM. You can find the .crt files into easy-rsa/easyrsa3/pki/issued folder and .key files into easy-rsa/easyrsa3/pki/private folder.Make sure the user has access to imort ACM certificates.

To import server certs

$ aws acm import-certificate — certificate fileb://server.crt — private-key fileb://server.key — certificate-chain fileb://ca.crt

To import client certs

$aws acm import-certificate — certificate fileb://client1.domain.tld.crt — private-key fileb://client1.domain.tld.key — certificate-chain fileb://ca.crt