aws vpn - AWS VPN: How to create and import a Self-Signed certificate using Powershell

Question

I am attempting to create a certificate for use in the AWS VPN and OpenVPN using Powershell. I find the documentation less than helpful. Is there a good site ?

question from:https://stackoverflow.com/questions/65890650/aws-vpn-how-to-create-and-import-a-self-signed-certificate-using-powershell

Answer 1

Use CreateCertificate.ps1 script, then follow instructions below:

CreateCertificate.ps1

#Run as Administrator
function PSScriptRoot()
{
    $ScriptRoot = ""

    Try
    {
        $ScriptRoot = Get-Variable -Name PSScriptRoot -ValueOnly -ErrorAction Stop
    }
    Catch
    {
        $ScriptRoot = Split-Path $script:MyInvocation.MyCommand.Path
    }

    return $ScriptRoot
}

Install-Module -Name PSPKI -Scope AllUsers 
Import-Module PSPKI


$PSScriptPath = PSScriptRoot
$certPassword = ConvertTo-SecureString -String "touchworks.VPN" -Force -AsPlainText

# Create a self-signed root certificate
$exp  = (Get-Date).AddYears(5)
$rootCert = New-SelfSignedCertificate `
            -DnsName self-service.root.clientvpn.amazonaws.com `
            -Subject "CN=AWS.VPN.Root" `
            -CertStoreLocation "cert:LocalMachineMy" `
            -HashAlgorithm sha256 -KeyLength 2048 `
            -NotAfter $exp `
            -KeyExportPolicy Exportable -KeySpec Signature -KeyProtection None  -KeyUsageProperty All


# Create a client certificate based on the Root
$clientCert = New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert `
            -Subject "CN=AWS.VPN.Client" `
            -HashAlgorithm sha256 -KeyLength 2048 `
            -CertStoreLocation "Cert:CurrentUserMy" `
            -Signer $rootCert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2") `
            -KeyExportPolicy Exportable -KeySpec Signature -KeyProtection None -KeyUsageProperty All

#Export the Root certificate with Private Key
$rootCert.PSPath
$pfxFilePath = "$PSScriptPath" + $rootCert.Subject + ".pfx"
$pemFilePath = "$PSScriptPath" + $rootCert.Subject + ".pem"

Export-PfxCertificate -Cert $rootCert.PSPath -FilePath $pfxFilePath -Password  $certPassword 

Convert-PfxToPem -InputFile $pfxFilePath -Outputfile $pemFilePath -Password $certPassword -OutputType Pkcs1


# Export the client certificate
$rootCert.PSPath
$pfxFilePath = "$PSScriptPath" + $clientCert.Subject + ".pfx"
$pemFilePath = "$PSScriptPath" + $clientCert.Subject + ".pem"

Export-PfxCertificate -Cert $clientCert.PSPath -FilePath $pfxFilePath -Password  $certPassword -ChainOption BuildChain -CryptoAlgorithmOption AES256_SHA256

Convert-PfxToPem -InputFile $pfxFilePath -Outputfile $pemFilePath -Password $certPassword -OutputType Pkcs1

1. Create Certificates

Run CreateCertificate.ps1

The following files are generated: Root: CN=AWS.VPN.Root.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAscrFXB0k4vVt2+4WX2f67ceWW8bL/Zxwj8VboOucAiy2RtUV
...
Pdo5MeLbJCYjZwMxZ0KuLybyl0OxkYnhYT7UNExJYgz0E87fJIFN
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIQaBfHrrrdALtOxYJsf+N4UzANBgkqhkiG9w0BAQsFADAX
...
HmuJiV7KTDWGkmTVfgxP1coMr7M=
-----END CERTIFICATE-----

Client: CN=AWS.VPN.Client.pem

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAq6MdA2PWfsR6k2r1rT7EFgN4fGgKvRIFpTE5K7WmUDBxqSL/
...
eEM5vupZfK5F2LW4cqkFFamv93+gcgWqVo/7U9rxwQbMdBj9v2bMWQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDOzCCAiOgAwIBAgIQWzHJgWjQhoJKcnXOLno1fTANBgkqhkiG9w0BAQsFADAX
...
ORyAIYAJd3P2MIecP+NR
-----END CERTIFICATE-----

2. Import the Root certificate into AWS Certificate Manager using:

Use CertificateManager|Import a certificate

Certificate body ==> Use Root Certificate
Certificate private key ==> Use Root RS Private Key
Certificate chain ==> leave empty

3. Apply the AWS Certificate Manager certificate to the VPN using AWS Client VPN Endpoints

Use Button Client VPN Endpoints|Action|Modify Client VPN Endpoint

4. Download Client Configuration (ovpn) File using AWS Client VPN Endpoints

Use Button Client VPN Endpoints|Download Client Configuration

5. Modify the Client Configuration (ovpn) File

1. There is a bug in Open VPN client that ignores remote-random-hostname setting in ovpn file.
2. The VPN' Self-service portal does not generate a useable ovpn file.

Modify the ovpn file as follows:

• Prepend a random string to the url
• Add the Client Certificate and Key

Example OVPN File

client
dev tun
proto udp
>>> remote qwerty.cvpn-endpoint-0aae...680bf.prod.clientvpn.us-east-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIQdn3tb5/zQJJCitV4XSxmmTANBgkqhkiG9w0BAQsFADAX
...
tx2txb5TvvJnEoRkEFlnpxmXd5U=
-----END CERTIFICATE-----

</ca>

>>> <cert>
>>> -----BEGIN CERTIFICATE-----
>>> 
>>> ***CLIENT CERTIFICATE***
>>> 
>>> -----END CERTIFICATE-----
>>> 
>>> 
>>> </cert>
>>> <key>
>>> -----BEGIN RSA PRIVATE KEY-----
>>> 
>>> ***CLIENT RSA PRIVATE KEY***
>>> 
>>> -----END RSA PRIVATE KEY-----
>>> 
>>> </key>

auth-user-pass

reneg-sec 0

6. Distribute the modified ovpn file and Client to users.

• The AWS VPN Client is unusable in this configuration.
• Users will need the Open VPN Client: https://openvpn.net/download-open-vpn/

7. References

How to configure Windows VPN Server

https://www.wintips.org/how-to-setup-vpn-server-on-windows-server-2016-pptp/

https://acloudxpert.com/generate-and-export-certificates-for-point-to-site-using-powershell/

How to Use AWS VPN to Lock Down Access to Your Servers

https://www.cloudsavvyit.com/3270/how-to-use-aws-vpn-to-lock-down-access-to-your-servers/

Create a self-signed certificate with PowerShell

https://4sysops.com/archives/create-a-self-signed-certificate-with-powershell/