A year ago I set up a new environment for a company who decided to host everything in Azure.

I set up the virtual machines, the storage, the backups and everything that came along with that.  I also gave them a Point to Site VPN connection so they could independently make changes and modify / add data as needed.

Today that VPN connection stopped working.  Why? Simple.  The cert expired. Microsoft have written great documentation on this topic but by default, the root and client certificates only last for one year.  That’s for security reasons of course.  Each year, you renew your certificates and if someone has a certificate that should no longer be allowed, that cert becomes invalid. Nice and easy.

However, in addition to using certs, I also have accounts that I can modify on the local machines and each group of people have a different route cert so replacing certs isn’t a major problem.

That said, I wanted the certs to last longer than 1 year.  I could have made them last 10 years but I thought 3 years was a happy medium.

You could of course create the scripts using a GUI but here’s a faster way that uses Powershell.

$date_now = Get-Date
$extended_date = $date_now.AddYears(3)
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject “CN=P2SRootCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” -KeyUsageProperty Sign -KeyUsage CertSign -Notafter $extended_date

Now create the client cert using this.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” `
-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”) -Notafter $extended_date

When you’re ready, open the route cert.  Remove the lines at the top and bottom of the file that indicate the start and end of the certificate then in Azure, browse to All Resources \ Your VPN Gateway,  Configure Point to Site VPN

Now add the new root certificate.

When you’re ready, download the VPN client.  ON the same Screen in the Azure portal, click Download VPN client.

 

If needed, remember to export your certificate.  Include to private key and give the exprrted PFX file a good strong password.