Azure VPN Gateway Point-to-site config error - Data for certificate is invalid.

Alex M 20 Reputation points
2024-08-28T11:33:42.22+00:00

I struggle to save Virtual network gateway Point-to-site configuration as I receive the following error message Failed to save virtual network gateway .

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,514 questions
Accepted answer
  1. Sai Prasanna Sinde (Quadrant Resource LLC) 85 Reputation points Microsoft Vendor
    2024-08-30T15:56:09.6433333+00:00

    Hi @Alex M,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    Please follow the below steps to create a self-signed certificate for Point to Site VPN configuration in windows environment:

    1. Before creating certificates, open PowerShell as an administrator and check the "ExecutionPolicy" by running the command: Get-ExecutionPolicy. It should be RemoteSigned. If it is not in RemoteSigned, change it to RemoteSigned by running command: Set-ExecutionPolicy -ExecutionPolicy use tab to get a RemoteSigned.
    2. Create a self-signed root certificate: After setting the ExecutionPolicy to RemoteSigned, use the below script to generate a root certificate: (Open PowerShell run as an administrator, copy paste the below script). $params = @{ Type = 'Custom' Subject = 'CN=P2SRootCert' KeySpec = 'Signature' KeyExportPolicy = 'Exportable' KeyUsage = 'CertSign' KeyUsageProperty = 'Sign' KeyLength = 2048 HashAlgorithm = 'sha256' NotAfter = (Get-Date).AddMonths(24) CertStoreLocation = 'Cert:\CurrentUser\My' } $cert = New-SelfSignedCertificate @params
    3. Generate a client certificate: Next copy & paste the below script to generate a Child certificate in the same PowerShell console session: $params = @{ Type = 'Custom' Subject = 'CN=P2SChildCert' DnsName = 'P2SChildCert' KeySpec = 'Signature' KeyExportPolicy = 'Exportable' KeyLength = 2048 HashAlgorithm = 'sha256' NotAfter = (Get-Date).AddMonths(18) CertStoreLocation = 'Cert:\CurrentUser\My' Signer = $cert TextExtension = @( '2.5.29.37={text}1.3.6.1.5.5.7.3.2') } New-SelfSignedCertificate @params
    4. After generating Root & Child certificates, go to Manage user certificates > Personal > Certificates, you will find your latest generated root & child certificates (You can find it based on date).
    5. Right click on the root certificate > All Tasks > Export > you can click on next button and please select "Base-64 encoded" format (It is optimized for Point to Site configuration) > you need to browse a path (Ex: C Drive) to save the exported root certificate, give a name to the file and save it and then click on finish.
    6. Go to the location where you saved the exported root file, open it with a notepad or text and copy the code expect begin and end certificate.
    7. Go to your VPN > Point to Site configuration > Maintain "Address pool, Tunnel type (Ex: IKEv2 and SSTP SSL, it supports both IKEv2 & SSTP) & Authentication type (Azure certificate)" > give the name of the root certificate and paste the copied code in public certification data and save it.
    8. Download the VPN client and connect to the VPN.

    For your reference: https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site

    Please follow the below steps to create a self-signed certificate for Point to Site VPN configuration in Linux environment:

    To generate self-signed certificate, please use openssl

    1. Generate a Self-Signed Root Certificate: openssl genrsa -out caKey.pem 2048 openssl req -x509 -new -nodes -key caKey.pem -subj "/CN=VPN CA" -days 3650 -out caCert.pem
    2. Print the self-signed root certificate public data in base64 format for point to site configuration: openssl x509 -in caCert.pem -outform der | base64 -w0 && echo
    3. Generate a Client Certificate: export PASSWORD="password" export USERNAME=$(hostnamectl --static) # Generate a private key openssl genrsa -out "${USERNAME}Key.pem" 2048 # Generate a CSR (Certificate Sign Request) openssl req -new -key "${USERNAME}Key.pem" -out "${USERNAME}Req.pem" -subj "/CN=${USERNAME}" # Sign the CSR using the CA certificate and CA key openssl x509 -req -days 365 -in "${USERNAME}Req.pem" -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out "${USERNAME}Cert.pem" -extfile <(echo -e "subjectAltName=DNS:${USERNAME}\nextendedKeyUsage=clientAuth")
    4. Verify the Client Certificate: openssl verify -CAfile caCert.pem caCert.pem "${USERNAME}Cert.pem"
    5. Export the root certificate and make sure you need to select the Base-64 Encoded option while exporting the root certificate.
    6. open the certificate with notepad and copy the code by excluding the begin & end certificate
    7. Go to Point to Site Configuration and past the root certificate data in public key section
    8. Please maintain the address pool, tunnel type and authentication properly and save it.

    For your reference: https://video2.skills-academy.com/en-us/azure/vpn-gateway/point-to-site-certificates-linux-openssl

    You can also Generate and export certificates by using Linux (strongSwan). Please find the below document for Additional reference: https://video2.skills-academy.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux

    If it was helpful, please click "Upvote and Accept Answer" on this post to let us know.

    If you need any further assistance, please don't hesitate to reach out to us. We are happy to assist you.

    Thank You.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.