# Mutual authentication in AWS Client VPN
With mutual authentication, Client VPN uses certificates to perform authentication between the client and the server. Certificates are a digital form of identification issued by a certificate authority (CA). The server uses client certificates to authenticate clients when they attempt to connect to the Client VPN endpoint. You must create a server certificate and key, and at least one client certificate and key.
You must upload the server certificate to AWS Certificate Manager (ACM) and specify it when you create a Client VPN endpoint. When you upload the server certificate to ACM, you also specify the certificate authority (CA). You only need to upload the client certificate to ACM when the CA of the client certificate is different from the CA of the server certificate. For more information about ACM, see the [AWS Certificate Manager User Guide](https://docs.aws.amazon.com/acm/latest/userguide/).
You can create a separate client certificate and key for each client that will connect to the Client VPN endpoint. This enables you to revoke a specific client certificate if a user leaves your organization. In this case, when you create the Client VPN endpoint, you can specify the server certificate ARN for the client certificate, provided that the client certificate has been issued by the same CA as the server certificate.
Certificates used in AWS Client VPN must adhere to [RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile](https://datatracker.ietf.org/doc/html/rfc5280), including the Certificate Extensions specified in section 4.2 of the memo.
**Note**
A Client VPN endpoint supports 1024-bit and 2048-bit RSA key sizes only. Also, the client certificate must have the CN attribute in the Subject field.
When certificates being used with the Client VPN service are updated, whether through ACM auto-rotation, manually importing a new certificate, or metadata updates to IAM Identity Center the Client VPN service will automatically update theClient VPN endpoint with the newer certificate. This is an automated process that can take up to 5 hours.
**Topics**
+ [Enable mutual authentication](client-auth-mutual-enable.md)
+ [Renew your server certificate](mutual-renew.md)
# Enable mutual authentication for AWS Client VPN
You can enable mutual authentication in Client VPN in either Linux/MacOS or Windows.
------
#### [ Linux/macOS ]
The following procedure uses OpenVPN easy-rsa to generate the server and client certificates and keys, and then uploads the server certificate and key to ACM. For more information, see the [Easy-RSA 3 Quickstart README](https://github.com/OpenVPN/easy-rsa/blob/v3.0.6/README.quickstart.md).
**To generate the server and client certificates and keys and upload them to ACM**
1. Clone the OpenVPN easy-rsa repo to your local computer and navigate to the `easy-rsa/easyrsa3` folder.
```
$ git clone https://github.com/OpenVPN/easy-rsa.git
```
```
$ cd easy-rsa/easyrsa3
```
1. Initialize a new PKI environment.
```
$ ./easyrsa init-pki
```
1. To build a new certificate authority (CA), run this command and follow the prompts.
```
$ ./easyrsa build-ca nopass
```
1. Generate the server certificate and key.
```
$ ./easyrsa --san=DNS:server build-server-full server nopass
```
1. Generate the client certificate and key.
Make sure to save the client certificate and the client private key because you will need them when you configure the client.
```
$ ./easyrsa build-client-full client1.domain.tld nopass
```
You can optionally repeat this step for each client (end user) that requires a client certificate and key.
1. Copy the server certificate and key and the client certificate and key to a custom folder and then navigate into the custom folder.
Before you copy the certificates and keys, create the custom folder by using the `mkdir` command. The following example creates a custom folder in your home directory.
```
$ mkdir ~/custom_folder/
$ cp pki/ca.crt ~/custom_folder/
$ cp pki/issued/server.crt ~/custom_folder/
$ cp pki/private/server.key ~/custom_folder/
$ cp pki/issued/client1.domain.tld.crt ~/custom_folder
$ cp pki/private/client1.domain.tld.key ~/custom_folder/
$ cd ~/custom_folder/
```
1. Upload the server certificate and key and the client certificate and key to ACM. Be sure to upload them in the same Region in which you intend to create the Client VPN endpoint. The following commands use the AWS CLI to upload the certificates. To upload the certificates using the ACM console instead, see [Import a certificate](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html) in the *AWS Certificate Manager User Guide*.
```
$ aws acm import-certificate --certificate fileb://server.crt --private-key fileb://server.key --certificate-chain fileb://ca.crt
```
```
$ aws acm import-certificate --certificate fileb://client1.domain.tld.crt --private-key fileb://client1.domain.tld.key --certificate-chain fileb://ca.crt
```
You do not necessarily need to upload the client certificate to ACM. If the server and client certificates have been issued by the same Certificate Authority (CA), you can use the server certificate ARN for both server and client when you create the Client VPN endpoint. In the steps above, the same CA has been used to create both certificates. However, the steps to upload the client certificate are included for completeness.
------
#### [ Windows ]
The following procedure installs Easy-RSA 3.x software and uses it to generate server and client certificates and keys.
**To generate server and client certificates and keys and upload them to ACM**
1. Open the [EasyRSA releases](https://github.com/OpenVPN/easy-rsa/releases) page and download the ZIP file for your version of Windows and extract it.
1. Open a command prompt and navigate to the location that the `EasyRSA-3.x` folder was extracted to.
1. Run the following command to open the EasyRSA 3 shell.
```
C:\Program Files\EasyRSA-3.x> .\EasyRSA-Start.bat
```
1. Initialize a new PKI environment.
```
# ./easyrsa init-pki
```
1. To build a new certificate authority (CA), run this command and follow the prompts.
```
# ./easyrsa build-ca nopass
```
1. Generate the server certificate and key.
```
# ./easyrsa --san=DNS:server build-server-full server nopass
```
1. Generate the client certificate and key.
```
# ./easyrsa build-client-full client1.domain.tld nopass
```
You can optionally repeat this step for each client (end user) that requires a client certificate and key.
1. Exit the EasyRSA 3 shell.
```
# exit
```
1. Copy the server certificate and key and the client certificate and key to a custom folder and then navigate into the custom folder.
Before you copy the certificates and keys, create the custom folder by using the `mkdir` command. The following example creates a custom folder in your C:\$1 drive.
```
C:\Program Files\EasyRSA-3.x> mkdir C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\ca.crt C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\issued\server.crt C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\private\server.key C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\issued\client1.domain.tld.crt C:\custom_folder
C:\Program Files\EasyRSA-3.x> copy pki\private\client1.domain.tld.key C:\custom_folder
C:\Program Files\EasyRSA-3.x> cd C:\custom_folder
```
1. Upload the server certificate and key and the client certificate and key to ACM. Be sure to upload them in the same Region in which you intend to create the Client VPN endpoint. The following commands use the AWS CLI to upload the certificates. To upload the certificates using the ACM console instead, see [Import a certificate](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html) in the *AWS Certificate Manager User Guide*.
```
aws acm import-certificate \
--certificate fileb://server.crt \
--private-key fileb://server.key \
--certificate-chain fileb://ca.crt
```
```
aws acm import-certificate \
--certificate fileb://client1.domain.tld.crt \
--private-key fileb://client1.domain.tld.key \
--certificate-chain fileb://ca.crt
```
You do not necessarily need to upload the client certificate to ACM. If the server and client certificates have been issued by the same Certificate Authority (CA), you can use the server certificate ARN for both server and client when you create the Client VPN endpoint. In the steps above, the same CA has been used to create both certificates. However, the steps to upload the client certificate are included for completeness.
------
# Renew your server certificate for AWS Client VPN
You can renew and re-import a Client VPN server certificate that has expired. Depending on the version of OpenVPN easy-rsa that you're using, the procedure will vary. See [Easy-RSA 3 Certificate Renewal and Revocation Documentation](https://github.com/OpenVPN/easy-rsa/blob/master/doc/EasyRSA-Renew-and-Revoke.md) for more details.
**To renew your server certificate**
1. Do **one** of the following:
+ Easy-RSA version 3.1.x
1. Run the certificate renew command.
```
$ ./easyrsa renew server nopass
```
+ Easy-RSA version 3.2.x
1. Run the expire command.
```
$ ./easyrsa expire server
```
1. Sign a new certificate.
```
$ ./easyrsa --san=DNS:server sign-req server server
```
1. Create a custom folder, copy the new files to it, then navigate into the folder.
```
$ mkdir ~/custom_folder2
$ cp pki/ca.crt ~/custom_folder2/
$ cp pki/issued/server.crt ~/custom_folder2/
$ cp pki/private/server.key ~/custom_folder2/
$ cd ~/custom_folder2/
```
1. Import the new files to ACM. Be sure to import them in the same Region as the Client VPN endpoint.
```
$ aws acm import-certificate \
--certificate fileb://server.crt \
--private-key fileb://server.key \
--certificate-chain fileb://ca.crt \
--certificate-arn arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-12345678901
```