Secure Your Azure VPN Gateway With Self-Signed Certificate

This blog covers the creation and verification of a self-signed certificate. It also covers how we can upload the certificate to the Azure VPN gateway and verify the connection locally. You need the following mandatory areas of knowledge and entities for understanding this blog.
  1. Knowledge of Azure vNet and vNet gateways
  2. Knowledge of Azure VPN connection
  3. One live Azure VPN gateway in your Azure subscription configured for point to site connection.
Azure VPN is the preferred way of connecting your premises to Azure and point to site (P2S) is one type of VPN that connections are using for connecting a local machine to Azure; i.e. a developer machine to an Azure network. You need to secure your P2S connection using a signed certificate. You either use a signed certificate from a 3rd party or you can have a self-signed certificate. The scope of this blog is with the self-signed certificate.

Self-signed Certificate

There are pre-defined PowerShell commands for creating self-signed certificates. You need to create at least the below 2 certificates in this process.
  1. Root certificate
    This is the 1st certificate to create and we can call this a master certificate. You need to link your VPN gateway to be secured with this root certificate. It has your own signature authority during its creation and so-called self-signed certificate.

  2. Client certificate
    This certificate will be created from the above-mentioned root certificate by root certificate owner and will be distributed to clients. This is the certificate needed by each of the clients for a connection from their individual machines to VPN gateway

Create Root & Client Self-signed Certificates

The first section with a variable $cert is the script for the root certificate. The second section using $cert is the script for a client certificate.
 
Most parameters are pre-defined except -Subject, where you can add your own value for "CN".
  1. $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `  
  2. -Subject "CN=JaishP2SRootCert" -KeyExportPolicy Exportable `  
  3. -HashAlgorithm sha256 -KeyLength 2048 `  
  4. -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign  
  5. New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `  
  6. -Subject "CN=JaishP2SChildCert" -KeyExportPolicy Exportable `  
  7. -HashAlgorithm sha256 -KeyLength 2048 `  
  8. -CertStoreLocation "Cert:\CurrentUser\My" `  
  9. -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")  
Please verify both certificates inside "certmgr.msc" as below.

Secure Your Azure VPN Gateway with Self-signed Certificate 

Upload Root Self-signed Certificate to VPN Gateway,

For uploading a root certificate to VPN gateway, follow the below steps.
  1. Export Root Certificate through "certmgr.msc" as below. Select root certificate for export.
    Secure Your Azure VPN Gateway with Self-signed Certificate
    Select the following wizard options.
    Secure Your Azure VPN Gateway with Self-signed Certificate
    Secure Your Azure VPN Gateway with Self-signed Certificate

    Once you've clicked on Finish, your certificate will be stored under C:\Windows\System32.

    Secure Your Azure VPN Gateway with Self-signed Certificate
  2. Format your certificate content
    You need to open the certificate in an editor and need to remove every line space and also any header/footer text. So, your certificate content would be like below. I used Visual Studio Code as text editor.

    Secure Your Azure VPN Gateway with Self-signed Certificate

    Notice that single line of content? It should be like that before exporting to Azure VPN gateway.

  3. Upload formatted root certificate to Azure VPN gateway
    For uploading, we are not really uploading any files, but pasting the above mentioned single line of text into a specific field (root certificates) of the VPN gateway point to site configuration through the Azure portal. See below. Areas to focus on are marked with blue boxes.

    Secure Your Azure VPN Gateway with Self-signed Certificate

    After saving this configuration, now we are ready to test this connection. 

Verify the Self-Signed Certification Connection to VPN Gateway

Please follow the below steps to verify your connection
  1. Download and install VPN client
    Please notice a download button on top of the above image and install the VPN client to your machine. After installation, verify that your client is running under network connections.

    Secure Your Azure VPN Gateway with Self-signed Certificate

  2. Connect to VPN gateway using VPN client

    Secure Your Azure VPN Gateway with Self-signed Certificate

    Please approve any request for an elevated access and now your VPN connection should be like below.

    Secure Your Azure VPN Gateway with Self-signed Certificate

  3. Final Verification using the command prompt
    Please open the command prompt as Admin and run "ipconfig" to make sure that your VPN gateway IP is displaying there.

    Secure Your Azure VPN Gateway with Self-signed Certificate 

    Self-signed certificate preparation procedure is almost the same everywhere, but the PowerShell command for each kind of certificate will be different. So if you create a self-signed certificate for another service, the procedure is almost the same, considering the different PowerShell commands for it.