Introduction
Azure Point-to-Site (P2S) VPN provides a secure way for client devices to connect to an Azure Virtual Network, granting access to private resources and Azure workloads. In this article, I will guide you through setting up a P2S VPN with certificate-based authentication, ensuring a secure and efficient connection for your clients.
Overview Architecture of Azure Point-to-Site VPN
![VPN]()
Prerequisite
- Azure Subscription
- Azure Virtual Network
- Azure VPN Gateway
- Client User Node Windows or Linux
Generate and export certificates for point-to-site using PowerShell
Step 1. Open PowerShell as an Administrator and launch PowerShell on your client PC with elevated permissions.
Step 2. Create a Client Root Certificate by running the following PowerShell script to generate a self-signed root certificate, as outlined in the official Microsoft documentation
$params = @{
Type = 'Custom'
Subject = 'CN=P2SRootCert'
KeySpec = 'Signature'
KeyExportPolicy = 'Exportable'
KeyUsage = 'CertSign'
KeyUsageProperty = 'Sign'
KeyLength = 2048
HashAlgorithm = 'sha256'
NotAfter = (Get-Date).AddMonths(24)
CertStoreLocation = 'Cert:\CurrentUser\My'
}
$cert = New-SelfSignedCertificate @params
![Keyspec]()
Note Replace "P2SRootCert" with your desired certificate name. However, the certificate is valid for 5 years by default.
Step 3. Create Client Certificates To create client certificates use the below script.
$params = @{
Type = 'Custom'
Subject = 'CN=P2SChildCert'
DnsName = 'P2SChildCert'
KeySpec = 'Signature'
KeyExportPolicy = 'Exportable'
KeyLength = 2048
HashAlgorithm = 'sha256'
NotAfter = (Get-Date).AddMonths(18)
CertStoreLocation = 'Cert:\CurrentUser\My'
Signer = $cert
TextExtension = @(
'2.5.29.37={text}1.3.6.1.5.5.7.3.2')
}
New-SelfSignedCertificate @params
Successfully created both my certificates.
![Powershell]()
Steps to Export the Root Certificate Public Key (.cer)
Step 1. Open Manage User Certificates by pressing Win + R, typing certmgr.msc, and pressing Enter.
![Manage User]()
Step 2. Navigate to Certificates - Current User > Personal > Certificates. Locate your self-signed root certificate, right-click it, and select All Tasks > Export.
![Current User]()
Step 3. In the Certificate Export Wizard, click Next.
![Export Wizard]()
Step 4. Choose No, do not export the private key, and click Next.
Step 5. Select Base-64 encoded X.509 (.CER) as the file format and click Next.
![Format]()
Step 6. Browse to the location where you want to save the certificate, name the file, and click Next, then Finish.
![Save]()
A confirmation message will appear stating The export was successful.
Step 7. Open the exported .cer file in Notepad to verify it is in Base-64 encoded format. The file should.
![Encoded format]()
Step 8. Sign in to your Azure Portal via Azure Portal
Step 9. Navigate to your Azure VPN gateway.
Step 10. In the Azure portal, configure the Address Pool (e.g., 172.16.0.0/24) in Point-to-Site Configuration.
![Azure VPN]()
Step 11. Specify the VPN address pool range to allocate dynamic IP addresses for client connections.
Step 12. Choose Azure Certificate as the authentication method.
Step 13. Root certificate Name “Root” and copy the above notepad key and past on “public certificate data” Save.
![Root]()
Step 14. After saving the configuration, download the VPN client, install the Windows setup, and use it to connect to the VPN.
![VPN client]()
Step 15. Once the VPN client is successfully installed, establish the connection by selecting your VPN profile and clicking Connect.
![Add VPN]()
![Connect]()
Step 16. My VPN connection to the Azure Virtual Network was successful.
![Virtual Network]()
Step 17. In the Azure Portal, I can see the VPN connection endpoint listed as connected under the Point-to-Site VPN sessions.
![Site]()
Conclusion
This article taught us how to set up Azure Point-to-Site VPN with certificate-based authentication, including creating, exporting, and uploading certificates to Azure for secure remote access to your Virtual Network.