Generating Client Certificate For P2S

INTRODUCTION

In my previous article, I explained about P2S VPN gateway “Azure Native Certificate Authentication” through Self-Signed Root certificate. The Self-Signed Root Certificate cannot be shared with the end users as it has more privileges. The Child Certificate can be exported from the Self Signed Root Certificate, and the Azure resources can be accessed through this certificate by the end users.

CREATE & EXPORT

Azure

  • Login to Azure PowerShell.
  • Execute the below command to get the P2S Root Certificate details.

    Get-ChildItem -Path “Cert:\CurrentUser\My”

    Azure
  • Run the below command to store the certificate details in a Variable.

    $cert = Get-ChildItem -Path “Cert:\CurrentUser\My\*CertificateThumbPrint*”

    Azure
  • Execute the below command to create a Child Certificate.

    New-SelfsignedCertificate -Type Custom -KeySpec Signature -Subject “CN=P2SChildCert” -keyExportPolicy Exportable -HashAlgorithm sha 256 -KeyLength 2048 -CertStoreLocation “Cert:\CurrentUser\My” -Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)

    Azure
  • Select the "Exported Certificate" from the File Manager.

    Azure

  • Select Action - Action - All Tasks - Export.

    Azure
  • Click "Next".

    Azure

  • Select “Yes, Export the private key
  • Click "Next".

    Azure

  • Select “Personal Information Exchange – PKCS #12 (.PFX)".
  • Click "Next".
    Azure
  • Select the Local Administrator credentials to export the certificate.
    Azure
  • Specify the Certificate Name and click "Next".
    Azure

  • Verify the specified details and click "Finish".

    Azure
  • Click "OK".

Share the exported Certificate with the end-users' PC and install the same under the "Personal Certificate".

Install & connect the VPN Client in End user PC using the below steps.

  • Install the certificate on the client machine.
  • Login to Azure portal, navigate to Virtual Network Gateways page, and select the P2S gateway.
  • Select the “Point-to-site configuration” in P2S gateway settings blade.
  • The uploaded certificate will be displayed here.
  • Click “Download VPN client” to download & install the VPN client.

    Azure
  • Based on the system configuration (32\64 bit), select and run the setup file.

    Azure
  • Click "Yes" to install VPN client.

    Azure
  • From the system settings, we can see that the VPN is installed successfully.
  • Click "Connect" to get connected to the P2S VPN gateway.

    Azure


  • Click "Connect" in the VPN client window.

    Azure
  • Click "Continue" to grant the elevated privilege to run the VPN client.

    Azure
  • Select the appropriate certificate and click "OK".

    Azure
  • VPN connection has been established successfully.

SUMMARY

In this article, I have explained about creating and exporting P2S child certificate.

The P2S Child certificate can be used by the end users to access Azure Resources. Though the end users can connect to the Azure network and can access the Azure VMs, administrator can restrict RDP access to the VMs through inbound rules in Network Security Group.