AWS multiple VPN client certificates

Question

Using AWS I need to make sure I have multiple clients using the VPN network. Each of the clients will use the same server certificate I created earlier.

Now using this documentation I managed to setup my own VPN and been able to connect to it using the generated client certificate. This is of course for just one client. I need this done for 3. I cannot share the same client certificate between them as I want to be able to revoke the certificate per person.

Whilst configuring the VPN endpoint I noticed that I had to use "Mutual Authentication" since we have no AD nor will we set one up. This requires you to provide a client certificate when creating the endpoint.

The documentation for generating the certificates and keys states this:

You only need to upload the client certificate to ACM when the Certificate Authority (Issuer) of the client certificate is different from the Certificate Authority (Issuer) of the server certificate.

Since I just created both (client and server) using the easyrsa steps as mentioned by amazon itself, I find myself unable to create an endpoint when I don't have a client certificate uploaded to the ACM, regardless of it apparently not being required to upload.

Does this actually mean that I need to setup N different endpoints (for each user) when I want to have them use their own certificates? This to me sounds a pretty heavy task, especially provided you have more than 3 users. The documentation is mentioning this:

You can create a separate client certificate and key for each client that will connect to the Client VPN endpoint .

(emphasis mine)

Notice the single "endpoint" as opposed to the plural? Can anyone shed some light on what I might be missing?

Answer 1

当为您的 VPN 使用相互身份验证选项时，（在 CA 中存在相同问题的限制）那么是的，3 个客户端证书中的每一个都应该能够连接到相同的端点，而无需将每个客户端证书上传到 ACM。