How to sign the CSR to enable a private Certificate Authority (CA) in AWS ACM? (How to generate version 3 cert?)

Question

I'm trying to setup a private Certificate Authority (CA) in AWS ACM in order to setup a direct VPN connection to a VPC without internet access (on purpose). https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html

So in the VPN Client configuration I need to get the Server certificate ARN. That's where I've gone to try and setup the private CA in order to setup the Client VPN Endpoint.

Currently, I've created the Private CA in ACM, but need to:

Import a CA certificate to activate your CA.

I'm a little unclear on what's going on here. At the moment it's just me, so I've done the following:

(Following this link: https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309 )

On Local PC:

1. Create root CA Private Key:

   openssl genrsa -des3 -out rootCA.key 4096
   

2. Create and self-sign the "Root Certificate" on local pc:

   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
   

   3. Generate the certificate for AWS service, "AWS Service Certificate", with CA Root key(Private Key)/Root Certificate and the AWS issued CSR:

   openssl x509 -req -in AWS-PRIVATE-CSR.pem -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out service.aws.crt -days 500 -sha256
   

Then from the AWS ACM Console:

4. From the Import CA Certificate dialog:

   • Add "AWS Service Certificate" as the Certificate body
   • Add "Root Certificate" as the Certificate chain

At this point I get the error when I click, "Confirm and Import":

CertificateMismatchException The certificate version must be greater than or equal to 3.

I checked the version of the generated, "AWS Service Certificate" with t he the following command, and it shows as Version 1.

openssl x509 -in service.aws.crt -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
    ...

So apparently I'm doing something wrong here, but I can't seem to find what it is. To resolve the current AWS error my question is:

• How can I generate a Version: 3 cert using the root Key/Cert and AWS CSR?

Alternatively what's the best way to connect to a VPC without internet access? If it's easier to setup a VPC<->VPC connection where I can access the other VPC via SSH that could work.

Answer 1

I was incorrect in my comment that it may be your openssl version. The instructions are a little off on generating the certificate from the CSR. The problem is that you don't have openssl setup correctly to do this.

The easiest fix is to create a text file (e.g. v3.ext) with the contents of:

authorityKeyIdentifier=keyid,issuer
basicConstraints=critical,CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

The add the following to your openssl command line "-extfile filename" e.g. "-extfile v3.ext"

So your openssl command will be:

openssl x509 -req -in AWS-PRIVATE-CSR.pem -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out service.aws.crt -days 500 -sha256 -extfile v3.ext

You can then verify with

openssl x509 -in service.aws.crt -text -noout

That should generate you a v3 certificate.