AWS multiple VPN client certificates

Question

Using AWS I need to make sure I have multiple clients using the VPN network. Each of the clients will use the same server certificate I created earlier.

Now using this documentation I managed to setup my own VPN and been able to connect to it using the generated client certificate. This is of course for just one client. I need this done for 3. I cannot share the same client certificate between them as I want to be able to revoke the certificate per person.

Whilst configuring the VPN endpoint I noticed that I had to use "Mutual Authentication" since we have no AD nor will we set one up. This requires you to provide a client certificate when creating the endpoint.

The documentation for generating the certificates and keys states this:

You only need to upload the client certificate to ACM when the Certificate Authority (Issuer) of the client certificate is different from the Certificate Authority (Issuer) of the server certificate.

Since I just created both (client and server) using the easyrsa steps as mentioned by amazon itself, I find myself unable to create an endpoint when I don't have a client certificate uploaded to the ACM, regardless of it apparently not being required to upload.

Does this actually mean that I need to setup N different endpoints (for each user) when I want to have them use their own certificates? This to me sounds a pretty heavy task, especially provided you have more than 3 users. The documentation is mentioning this:

You can create a separate client certificate and key for each client that will connect to the Client VPN endpoint.

(emphasis mine)

Notice the single "endpoint" as opposed to the plural? Can anyone shed some light on what I might be missing?

Answer 1

When using Mutual Authentication option for your VPN, (with the limitations regarding the same issue in CA) then yes, each of the 3 client certs should be able to connect to the same end point, without needing to upload each client cert to ACM.