Skip to content

Setup Azure Point to site Certificate

Jump to bottom
Franknaw edited this page Aug 2, 2021 · 19 revisions

Azure Point-to-site Certificate Configuration

This document shows how to setup root and client certificates for connecting to an Azure VPN. The actual setting up of the "Virtual Network Gateway" will be outlined in a later document. This document will show how to generate both root and client certificates and connect from Windows, Mac and Linux clients.

Using Windows Power Shell to generate a self-signed Root and Client certificate.

  • Generate self-signed root certificate
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=vpnRootCert2" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
  • Generate the client certificate using the $cert variable defined above.
New-SelfSignedCertificate -Type Custom -DnsName ClientCert -KeySpec Signature `
-Subject "CN=vpnClientCert2" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
  • To list certificates located in Current User/Personal 
Get-ChildItem -Path "Cert:\CurrentUser\My"
Results:
Thumbprint                                Subject
----------                                -------
92E2A4C70B935DB6261641D8FF1576E05AC11E96  CN=vpnRootCert2
FAF0135710B41E27C4FAEFF81DD3C6E15F2812A3  CN=vpnClientCert2
  • This will return the certificates thumbprint which then can be used to retrieve an imported certificate into a variable for generating a client certificate if needed.
$cert = Get-ChildItem -Path "Cert:\CurrentUser\My\92E2A4C70B935DB6261641D8FF1576E05AC11E96"

Export the root certificate public key and add the key to the Azure VPN Gateway

  • Open Windows Cert Manager and export the root certificate vpnRootCert2
    • Via the Cert Manager window dialog
    • Right-click on the root certificate, click "all tasks"->"export"
    • Check "No, do not export the private key"
    • Select "Base-64" encoded and save
    • Open the exported root certificate (.cer) and copy the encoded text
    • Via the Azure "Point-to-site" configuration paste the encoded text under "root certificates" section and save.

Export the client certificate

Using OpenSSL to generate a self-signed Root and Client certificate.

  • TODO

Connecting to the Azure VPN from Windows

  • From the Azure "Point-to-site" configuration click "Download VPN Client" save zip file and extract
  • With the zip file extracted.
    • Navigate to the "WindowsAmd64" directory and install "VpnClientSetupAmd64.exe"
    • From the installer dialog click "More info", this will display a "Run anyway" button. Click and follow installation.
    • This will install the Azure VPN Hub and will be located in "Network Settings"
  • Install provided Client Certificate.
    • Double click on the provided (.pfx) file, in this case named vpnClientCert2.pfx
    • Enter the provided password and follow default installation prompts
    • In Network Settings under "VPN" locate the "Hub" icon and click "Connect", this will automatically connect you to the Azure VPN Gateway.

Connecting to the Azure VPN from Linux (RHEL) with Open VPN

  • Extract the private key from the vpn cert using openssl
    • openssl pkcs12 -in theCertFile.pfx -nocerts -out privateKey.pem -nodes
  • Extract the client cert from the vpn cert using openssl
    • openssl pkcs12 -in theCertFfile.pfx -nokeys -out clientCcert.pem
  • Look for directory "openvpn" contained in the zip file and copy and paste above generated cert files in the vpnconfig.ovpn file.
  • TODO: Finish

Connecting to the Azure VPN from MAC

  • TODO: Finish

References:

Clone this wiki locally