Menu Close

Generate User VPN certificate to be used for P2S (Point to site) connection on Azure Virtual WAN

1. On your PC, as an administrator, Press Windows+R to open the Run dialog box, and then type “powershell” (and enter) in the text box:

Screenshot: Windows powershell command prompt for Windows
Screenshot: Windows powershell command prompt for Windows

2. Create a self-signed root certificate. On PowerShell run this:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject “CN=P2SRootCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign

3. Still on same powershell console, generate a client certificate:
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” `
-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)

Step 2 and 3 will create the following Thumbprint and Subject as shown here:

Screenshot: Windows powershell showing certificate creation
Screenshot: Windows powershell showing certificate creation

4. On your Windows GUI, run certmgr.msc and you should see the following 2 Certificate contents:

Screenshot: Certificate console on Windows
Screenshot: Certificate console on Windows
screenshot: Windows certificate management console
Windows certificate management console where .cer file is to be exported for use on Azure

5. Export the root certificate public key (.cer) and follow along prompts. When asked if you want to export the private key, choose “Do not export private key” then on the Export File Format , select Base-64 encoded X.509 (.CER).

6. Keep the file handy. This is the rootcertificate.cer file containing the hash that you’ll copy on to the User VPN configuration on your Azure Public Certificate field as shown on image below. The same hash will be used on the vpnconfig.ovpn file that needs to be configured for your OpenVPN client.

Screenshot: Azure -> WAN/Vpn dash screenshot
Screenshot: Azure -> WAN/Vpn dash screenshot

-End-