Azure Point-To-Site VPN – certificates

Vorhängeschloss und Schlüssel 01Let me set the expectation here, I am not going in depth on how to setup an Azure VPN as it has been referenced in many articles which could take you step by step on hot to configure your VPN tunnel to Azure cloud.

My main concern here are methods available in generating those certificates used in establishing that type of VPN. I have used a self signed certificate which works well in most instances but that could always be replaced by a publicly signed certificate to avoid uploading various root trusted certificates to Azure vNet.

The most common way is to use makecert.exe which comes as part of Windows SDK

Open a command prompt:

makecert.exe -sky exchange -r -n “CN=RootCertName” -pe -a sha1 -len 2048 -ss My

makecert.exe -n “CN=ClientCertName” -pe -sky exchange -m 96 -ss my -in “RootCertName” -is my -a sha1

With the introduction of new version of Powershell 4 with Windows 8.1 and Windows Server 2012 R2, we can now generate the self-signed certificate using a simple command without installing Windows SDK and makecert.exe

Using Powershell, run the following line:

New-SelfSignedCertificate -CertStoreLocation cert:\LocalMachine\My -DnsName CertName -KeyLength 2048 -KeySpec KeyExchange

You can then export the .cer certificate which you can place in your Trusted Root Certification Authorities and upload to Azure.

Both processes work but you will need one of the OS’s highlighted above in order to use the Powershell command, you can install Windows Management Framework but that command wont be available to you on older versions of Windows.


  1. #1 by Jonathon on 18 January, 2017 - 7:17 am

    Using New-SelfSignedCertificate is cool, but how does one then generate the client (user) certificate to connect to the VPN? As you pointed out, with makevert, this is achieved with your second command, which uses the root cert created in the first command as an input: makecert.exe -n “CN=ClientCertName” -pe -sky exchange -m 96 -ss my -in “RootCertName” -is my -a sha1

  2. #2 by Sam on 18 January, 2017 - 9:50 am

    Hi Jonathon, If you use New-SelfSignedCertificate the command will generate a certificate that contains the private key, you could then export the .PFX file (client cert) to be used on other machines. It’s a bit messy that way though, If you are using self signed certs then I rather run the command on each machine required to make that VPN connection then export .cer cert to Azure.

    • #3 by Derp on 19 January, 2017 - 2:45 am

      Hi Sam, Could you be more specific about doing this? It seems that the .PFX that is created is not useful for auth, e.g Azure P2S VPN. Anyone trying to setup Azure p2s needs both root and client cert for it to work.

  3. #4 by Derp on 19 January, 2017 - 2:47 am

    can you also list your cmdlets?

    • #5 by Sam on 19 January, 2017 - 1:05 pm

      Hi Derp, thank you for your comment. If you are using new-SelfSignedCertificate cmdlet (for example New-SelfSignedCertificate -DNSName AzureVPN), this would generate both your Client and Public certs. But in order to get both, you need to export both client certificate (PFX file) and public certificate (CER file) and import it again to another machine, you need to make sure the public part of the certificate is in your trusted root certificate authority (because it’s a self signed cert). This would make this cert trusted on other machines. You only need to upload the public part of the cert once to Azure.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: