Azure Point to Site VPN – Add or replace certificates.

Jan 18, 2019 | Azure, Server administration, Technology | 5 comments

A year ago I set up a new environment for a company who decided to host everything in Azure.

I set up the virtual machines, the storage, the backups and everything that came along with that.  I also gave them a Point to Site VPN connection so they could independently make changes and modify / add data as needed.

Today that VPN connection stopped working.  Why? Simple.  The cert expired. Microsoft have written great documentation on this topic but by default, the root and client certificates only last for one year.  That’s for security reasons of course.  Each year, you renew your certificates and if someone has a certificate that should no longer be allowed, that cert becomes invalid. Nice and easy.

However, in addition to using certs, I also have accounts that I can modify on the local machines and each group of people have a different route cert so replacing certs isn’t a major problem.

That said, I wanted the certs to last longer than 1 year.  I could have made them last 10 years but I thought 3 years was a happy medium.

You could of course create the scripts using a GUI but here’s a faster way that uses Powershell.

$date_now = Get-Date
$extended_date = $date_now.AddYears(3)
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable

-HashAlgorithm sha256 -KeyLength 2048
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign -Notafter $extended_date

Now create the client cert using this.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature
-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable
-HashAlgorithm sha256 -KeyLength 2048

-CertStoreLocation “Cert:\CurrentUser\My” `
-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”) -Notafter $extended_date

When you’re ready, open the route cert.  Remove the lines at the top and bottom of the file that indicate the start and end of the certificate then in Azure, browse to All Resources \ Your VPN Gateway,  Configure Point to Site VPN

Now add the new root certificate.

When you’re ready, download the VPN client.  ON the same Screen in the Azure portal, click Download VPN client.

 

If needed, remember to export your certificate.  Include to private key and give the exprrted PFX file a good strong password.

5 Comments

  1. Ioannis

    your website SSL certification has been expired. Funny thing because you’re talking about the SSL certificates 🙂

    Reply
    • digitaldarragh

      I know. 🙂 Ironic isn’t it. I have a weird problem where by the cert renews, the VHost config changes but NGinx doesn’t fully accept the new cert until the config is reloaded. This happens every six month or so and always to a different site on the server. I haven’t bothered getting to the bottom of it yet.

      Reply
  2. Bertrand

    Hello,

    What is then the process when the root certificate is expiring? I mean, can you create a second root certificate for the same Certification Authority in order to then create new child certificates, in order to allow a smooth transition? Because otherwise, I suppose that once the root certificate is expired, all P2S VPN connections will fail.

    Thank you for your tips!

    Reply
    • digitaldarragh

      I’m not sure. But as it’s possible for a cert to be leaked, I rather update the root cert each year as I then know that there’s a maximum usable time for the client certificate. But if your using lots of clients, it would probably be better to create one site to site VPN instead of a lot of point to site VPN’s. But that’s just an opinion. Easier to administer, maintain and monitor one VPN than lots of single connections.

      Reply

Leave a Reply to Ioannis Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.