I am having issues with certificate authentication using AWS Site-to-Site VPN. I created a new VPN connection in AWS using the same configuration that worked for shared secret. However, when I inspect the traffic, the Certificate Request in the IKE_SA_INIT response has two Certificate Authorities that I do not recognize (and only two). These are not the SHA1 hashes of any of the configured certificates or CAs in their chain. I deleted the connection, customer gateway, and certificates and started from scratch. The new IKA_SA_INIT Certificate Request has the same exact CA hashes...
Can anyone help me understand what is happening here? It is my understanding the two Certificate Authorities in the Certificate Request should be my AWS Private Certificate Authority Root CA and the Subordinate CA. There is so little documentation out there for implementing certificate authentication with AWS Site-to-Site VPN. (probably because it is so expensive) I've resorted to reading RFC documents to understand the nuts and bolts which is how I discovered the above issue.
AWS Private Certificate Authority Root CA: 6b cd 12 84 77 b1 38 45 02 48 04 6d a7 89 3c a2 82 52 39 e7 AWS Private Certificate Authority Subordinate CA: 40 2c 4b 0e 66 06 98 28 e0 3b a4 61 8b 12 fd ba a2 44 41 73
ISAKMP IKE_SA_INIT Response from AWS - limited to Certificate Request
Payload: Certificate Request (38)
Next payload: Notify (41)
0... .... = Critical Bit: Not critical
.000 0000 = Reserved: 0x00
Payload length: 45
Certificate Type: X.509 Certificate - Signature (4)
Certificate Authority Data: e75394041957b0ec0433caaee301ad3ad0361355
Certificate Authority Data: 0252df87079a8a5cd49c05afd1845482d1ba1448
