This can be done in two ways like, PowerShell way and the Makecert. We will look at the PowerShell way and see how to create a Root Certificate and Client Certificate and then export the Client certificate for distributing with the VPN Users. We are performing all these activity on a Windows 10 Clients.
Step 01 – Create a Self Signed Root Certificate
- Open the powershell from the Windows 10 and run below command to create a Root Certificate.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` -Subject "CN=RenP2SRootCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Next Export the Public key, so that it can be later uploaded to the Azure Subscription.
2. Open the Certificate Manager by running CertMgr.msc on the run box.
3. Go to “Certificates-Current User\Personal\Certificates”
4. Now right click on the RenP2SRootCert All Tasks, and then click Export. This opens the Certificate Export Wizard.
5. In the Wizard, click Next. Select No, do not export the private key, and then click Next.
6. On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.
7. On the File to Export, Browse to the location to which you want to export the certificate. For File name, name the certificate file as “RootExported.cer“. Then, click Next. Click Finish to export the certificate. You see The export was successful. Click OK to close the wizard.
Step 02 – Generate a Client Certificate
- Run below command on the Windows 10 PowerShell window.
New-SelfSignedCertificate -Type Custom -KeySpec Signature ` -Subject "CN=RenP2SChildCert" -KeyExportPolicy Exportable ` -HashAlgorithm sha256 -KeyLength 2048 ` -CertStoreLocation "Cert:\CurrentUser\My" ` -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
2. Now if you Open the Certificate Manager by running CertMgr.msc on the run box and then Go to “Certificates-Current User\Personal\Certificates” you will see an additional certificate generated as below.
Now we need to export this certificate to distribute it with other users for VPN access.
3. To export a client certificate, open Manage user certificates. The client certificates that you generated are, by default, located in ‘Certificates – Current User\Personal\Certificates’. Right-click the client certificate that you want to export, click all tasks, and then click Export to open the Certificate Export Wizard.
4. In the Wizard, click Next, then select Yes, export the private key, and then click Next.
5. On the Export File Format page, leave the defaults selected. Make sure that Include all certificates in the certification path if possible is selected. Selecting this also exports the root certificate information that is required for successful authentication. Then, click Next
6. On the Security page, you must protect the private key. If you select to use a password, make sure to record or remember the password that you set for this certificate. Then, click Next.
7. On the File to Export, Browse to the location to which you want to export the certificate. For File name, name the certificate file as ClientCertExported . Then, click Next.
8. Click Finish to export the certificate. You will see a “ClientCertExported.pfx” file on the location you saved. Store it securely for future use.
Step 03 (Optional) Importing the client certificate on a client pc.
- It is a fairly simple to install the .pxf on a client PC. You can just open the pfx file and click next on all the window and finish the process. To verify the successful installation of the certificate you can go to Certificates-Current User\Personal\Certificates
That’s all for the certificate handling for the Point-To-Site VPN configuration for Azure. If you have any comments or questions please do let me know.
2 Responses