title | author | ms.service | ms.date | ms.author |
---|---|---|---|---|
include file |
cherylmc |
vpn-gateway |
10/18/2023 |
cherylmc |
[!INCLUDE P2S FAQ All]
What should I do if I'm getting a certificate mismatch when connecting using certificate authentication?
Uncheck "Verify the server's identity by validating the certificate", or add the server FQDN along with the certificate when creating a profile manually. You can do this by running rasphone from a command prompt and picking the profile from the drop-down list.
Bypassing server identity validation isn't recommended in general, but with Azure certificate authentication, the same certificate is being used for server validation in the VPN tunneling protocol (IKEv2/SSTP) and the EAP protocol. Since the server certificate and FQDN are already validated by the VPN tunneling protocol, it's redundant to validate the same again in EAP.
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
No.
You can use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL.
-
Internal PKI/Enterprise PKI solution: See the steps to Generate certificates.
-
Azure PowerShell: See the Azure PowerShell article for steps.
-
MakeCert: See the MakeCert article for steps.
-
OpenSSL:
-
When exporting certificates, be sure to convert the root certificate to Base64.
-
For the client certificate:
- When creating the private key, specify the length as 4096.
- When creating the certificate, for the -extensions parameter, specify usr_cert.
-