How to Use Self-Signed Certificates for Azure VPN

Introduction

Azure Point-to-Site (P2S) VPN provides a secure way for client devices to connect to an Azure Virtual Network, granting access to private resources and Azure workloads. In this article, I will guide you through setting up a P2S VPN with certificate-based authentication, ensuring a secure and efficient connection for your clients.

Overview Architecture of Azure Point-to-Site VPN

VPN

Prerequisite

  1. Azure Subscription
  2. Azure Virtual Network
  3. Azure VPN Gateway
  4. Client User Node Windows or Linux

Generate and export certificates for point-to-site using PowerShell

Step 1. Open PowerShell as an Administrator and launch PowerShell on your client PC with elevated permissions.

Step 2. Create a Client Root Certificate by running the following PowerShell script to generate a self-signed root certificate, as outlined in the official Microsoft documentation

$params = @{
    Type = 'Custom'
    Subject = 'CN=P2SRootCert'
    KeySpec = 'Signature'
    KeyExportPolicy = 'Exportable'
    KeyUsage = 'CertSign'
    KeyUsageProperty = 'Sign'
    KeyLength = 2048
    HashAlgorithm = 'sha256'
    NotAfter = (Get-Date).AddMonths(24)
    CertStoreLocation = 'Cert:\CurrentUser\My'
}
$cert = New-SelfSignedCertificate @params

Keyspec

Note Replace "P2SRootCert" with your desired certificate name. However, the certificate is valid for 5 years by default.

Step 3. Create Client Certificates To create client certificates use the below script.

$params = @{
       Type = 'Custom'
       Subject = 'CN=P2SChildCert'
       DnsName = 'P2SChildCert'
       KeySpec = 'Signature'
       KeyExportPolicy = 'Exportable'
       KeyLength = 2048
       HashAlgorithm = 'sha256'
       NotAfter = (Get-Date).AddMonths(18)
       CertStoreLocation = 'Cert:\CurrentUser\My'
       Signer = $cert
       TextExtension = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
   }
   New-SelfSignedCertificate @params

Successfully created both my certificates.

Powershell

Steps to Export the Root Certificate Public Key (.cer)

Step 1. Open Manage User Certificates by pressing Win + R, typing certmgr.msc, and pressing Enter.

Manage User

Step 2. Navigate to Certificates - Current User > Personal > Certificates. Locate your self-signed root certificate, right-click it, and select All Tasks > Export.

Current User

Step 3. In the Certificate Export Wizard, click Next.

Export Wizard

Step 4. Choose No, do not export the private key, and click Next.

Step 5. Select Base-64 encoded X.509 (.CER) as the file format and click Next.

Format

Step 6. Browse to the location where you want to save the certificate, name the file, and click Next, then Finish.

Save

A confirmation message will appear stating The export was successful.

Step 7. Open the exported .cer file in Notepad to verify it is in Base-64 encoded format. The file should.

Encoded format

Step 8. Sign in to your Azure Portal via Azure Portal

Step 9. Navigate to your Azure VPN gateway.

Step 10. In the Azure portal, configure the Address Pool (e.g., 172.16.0.0/24) in Point-to-Site Configuration.

Azure VPN

Step 11. Specify the VPN address pool range to allocate dynamic IP addresses for client connections.

Step 12. Choose Azure Certificate as the authentication method.

Step 13. Root certificate Name “Root” and copy the above notepad key and past on “public certificate data” Save.

Root

Step 14. After saving the configuration, download the VPN client, install the Windows setup, and use it to connect to the VPN.

VPN client

Step 15. Once the VPN client is successfully installed, establish the connection by selecting your VPN profile and clicking Connect.

Add VPN

Connect

Step 16. My VPN connection to the Azure Virtual Network was successful.

 Virtual Network

Step 17. In the Azure Portal, I can see the VPN connection endpoint listed as connected under the Point-to-Site VPN sessions.

Site

Conclusion

This article taught us how to set up Azure Point-to-Site VPN with certificate-based authentication, including creating, exporting, and uploading certificates to Azure for secure remote access to your Virtual Network.


Similar Articles