{ "metadata": { "kernelspec": { "name": "powershell", "display_name": "PowerShell" }, "language_info": { "name": "powershell", "codemirror_mode": "shell", "mimetype": "text/x-sh", "file_extension": ".ps1" } }, "nbformat_minor": 2, "nbformat": 4, "cells": [ { "cell_type": "markdown", "source": [ "## Create and install VPN client configuration\r\n", "Point-to-Site connections use certificates to authenticate. This article shows how to create a self-signed root certificate and generate client certificates using PowerShell on Windows 10 or Windows Server 2016. If needs are for different certificate instructions, see [Certificates - Linux or Certificates - MakeCert](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux).\r\n", "\r\n", "The steps performed in this article are on a computer running Windows 10 or Windows Server 2016. The PowerShell cmdlets that used to generate certificates are part of the operating system and do not work on other versions of Windows. The Windows 10 or Windows Server 2016 computer is only needed to generate the certificates. Once the certificates are generated, it can be uploaded or installed on any supported client operating system." ], "metadata": { "azdata_cell_guid": "7bf685b8-e375-47ed-93a3-5072c6a27235" } }, { "cell_type": "code", "source": [ "$RG = \"\" # Name of intended Resource Group\r\n", "$GWName = \"\" # VPN Gateway name\r\n", "$P2SRootCertName = \"\" # Name of Root Certificate. For example 'P2SRootCert2.cer'\r\n", "$filePathForCert = \"\" # Path of the certificate file. For example 'D:\\Downloads\\rootcert2.cer'" ], "metadata": { "azdata_cell_guid": "8eab9fb0-1e66-4a34-8e32-cf0644b157d9" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "### **Create a self-signed root certificate**\r\n", "_New-SelfSignedCertificate_ cmdlet is used to create a self-signed root certificate. For additional parameter information, see [New-SelfSignedCertificate](https://technet.microsoft.com/itpro/powershell/windows/pkiclient/new-selfsignedcertificate).\r\n", "\r\n", "Use the following example to create the self-signed root certificate. The following example creates a self-signed root certificate named 'P2SRootCert' that is automatically installed in 'Certificates-Current User\\Personal\\Certificates'. certificate can be viewed by opening certmgr.msc, or Manage User Certificates." ], "metadata": { "azdata_cell_guid": "656a1830-ee0b-4a3f-aa54-0eb3435d730a" } }, { "cell_type": "code", "source": [ "$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `\r\n", "-Subject \"CN=P2SRootCert\" -KeyExportPolicy Exportable `\r\n", "-HashAlgorithm sha256 -KeyLength 2048 `\r\n", "-CertStoreLocation \"Cert:\\CurrentUser\\My\" -KeyUsageProperty Sign -KeyUsage CertSign" ], "metadata": { "azdata_cell_guid": "4348e0f6-957b-47f6-99db-8a4d4f6f4d25" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "### **Generate a client certificate**\r\n", "Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. A client certificate can be generated from the self-signed root certificate, and then it can export and install the client certificate. If the client certificate is not installed, authentication fails.\r\n", "This example continues from the previous section and uses the declared '$cert' variable.\r\n", "\r\n", "Modify and run the example to generate a client certificate. If the following example is executed without modifying it, the result is a client certificate named 'P2SChildCert'. If name of the child certificate needs to be something else,then modify the CN value. Do not change the TextExtension when running this example. The client certificate which is generated is automatically installed in 'Certificates - Current User\\Personal\\Certificates' on computer." ], "metadata": { "azdata_cell_guid": "a5a31ec0-2ead-4b41-9817-e81ea70082c0" } }, { "cell_type": "code", "source": [ "New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `\r\n", "-Subject \"CN=P2SChildCert\" -KeyExportPolicy Exportable `\r\n", "-HashAlgorithm sha256 -KeyLength 2048 `\r\n", "-CertStoreLocation \"Cert:\\CurrentUser\\My\" `\r\n", "-Signer $cert -TextExtension @(\"2.5.29.37={text}1.3.6.1.5.5.7.3.2\")" ], "metadata": { "azdata_cell_guid": "c993fb71-9c27-4b70-8477-3a0003825db4", "tags": [] }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "### **Replace the file path variable with file path to the exported root certificate, and then run the variable cmdlets:**" ], "metadata": { "azdata_cell_guid": "5df2cb79-0fe4-414e-a1f4-9f2270634d54" } }, { "cell_type": "code", "source": [ "$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)\r\n", "$CertBase64_3 = [system.convert]::ToBase64String($cert.RawData)\r\n", "$p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64_3" ], "metadata": { "azdata_cell_guid": "f75c1f83-82ca-4005-903e-935a787c1a5a" }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "### **Upload the public key information to Azure**\r\n", "_New-AzVpnClientRootCertificate_ cmdlet creates a new VPN client root certificate" ], "metadata": { "azdata_cell_guid": "8e6f2cba-020a-4fe0-ad1c-95528fbb54b0" } }, { "cell_type": "code", "source": [ " New-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName `\r\n", " -VirtualNetworkGatewayName $GWName -ResourceGroupName $RG `\r\n", " -PublicCertData $CertBase64_3" ], "metadata": { "azdata_cell_guid": "2448dc49-ce6e-49f2-8abf-f824461738e6", "tags": [ "hide_input" ] }, "outputs": [], "execution_count": null }, { "cell_type": "markdown", "source": [ "### **Verify that the root certificate uploaded**\r\n", "_Get-AzVpnClientRootCertificate_ cmdlet gets information about VPN root certificates" ], "metadata": { "azdata_cell_guid": "20c00239-cd9f-4515-9275-c8797890744c" } }, { "cell_type": "code", "source": [ "Get-AzVpnClientRootCertificate -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName" ], "metadata": { "azdata_cell_guid": "9f714fa9-f3ec-4a75-b736-05ec9b8948c0" }, "outputs": [], "execution_count": null } ] }