This blog covers the creation and verification of a self-signed certificate. It also covers how we can upload the certificate to the Azure VPN gateway and verify the connection locally. You need the following mandatory areas of knowledge and entities for understanding this blog.
- Knowledge of Azure vNet and vNet gateways
- Knowledge of Azure VPN connection
- One live Azure VPN gateway in your Azure subscription configured for point to site connection.
Azure VPN is the preferred way of connecting your premises to Azure and point to site (P2S) is one type of VPN that connections are using for connecting a local machine to Azure; i.e. a developer machine to an Azure network. You need to secure your P2S connection using a signed certificate. You either use a signed certificate from a 3rd party or you can have a self-signed certificate. The scope of this blog is with the self-signed certificate.
Self-signed Certificate
There are pre-defined PowerShell commands for creating self-signed certificates. You need to create at least the below 2 certificates in this process.
- Root certificate
This is the 1st certificate to create and we can call this a master certificate. You need to link your VPN gateway to be secured with this root certificate. It has your own signature authority during its creation and so-called self-signed certificate.
- Client certificate
This certificate will be created from the above-mentioned root certificate by root certificate owner and will be distributed to clients. This is the certificate needed by each of the clients for a connection from their individual machines to VPN gateway
Create Root & Client Self-signed Certificates
The first section with a variable $cert is the script for the root certificate. The second section using $cert is the script for a client certificate.
Most parameters are pre-defined except -Subject, where you can add your own value for "CN".
- $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
- -Subject "CN=JaishP2SRootCert" -KeyExportPolicy Exportable `
- -HashAlgorithm sha256 -KeyLength 2048 `
- -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
- New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
- -Subject "CN=JaishP2SChildCert" -KeyExportPolicy Exportable `
- -HashAlgorithm sha256 -KeyLength 2048 `
- -CertStoreLocation "Cert:\CurrentUser\My" `
- -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
Please verify both certificates inside "certmgr.msc" as below.
Upload Root Self-signed Certificate to VPN Gateway,
For uploading a root certificate to VPN gateway, follow the below steps.
- Export Root Certificate through "certmgr.msc" as below. Select root certificate for export.
Select the following wizard options.
Once you've clicked on Finish, your certificate will be stored under C:\Windows\System32.
- Format your certificate content
You need to open the certificate in an editor and need to remove every line space and also any header/footer text. So, your certificate content would be like below. I used Visual Studio Code as text editor.
Notice that single line of content? It should be like that before exporting to Azure VPN gateway.
- Upload formatted root certificate to Azure VPN gateway
For uploading, we are not really uploading any files, but pasting the above mentioned single line of text into a specific field (root certificates) of the VPN gateway point to site configuration through the Azure portal. See below. Areas to focus on are marked with blue boxes.
After saving this configuration, now we are ready to test this connection.
Verify the Self-Signed Certification Connection to VPN Gateway
Please follow the below steps to verify your connection
- Download and install VPN client
Please notice a download button on top of the above image and install the VPN client to your machine. After installation, verify that your client is running under network connections.
- Connect to VPN gateway using VPN client
Please approve any request for an elevated access and now your VPN connection should be like below.
- Final Verification using the command prompt
Please open the command prompt as Admin and run "ipconfig" to make sure that your VPN gateway IP is displaying there.
Self-signed certificate preparation procedure is almost the same everywhere, but the PowerShell command for each kind of certificate will be different. So if you create a self-signed certificate for another service, the procedure is almost the same, considering the different PowerShell commands for it.