How do we renew the SSL Signing certificate used in Azure Point to Site VPN (DEV)?

#azure

Background:
Point to Site VPN connections with Azure DEV environment are authenticated using SSL certificates.

These must be signed by a certificate that has been "trusted" by the Azure DEV VPN gateway configurations.

By default, SSL certificates are designed to "expire" on a set time frame. The DEV environment within our Azure subscription has been configured with the relevant configurations to accept the Client SSL certificates signed by the Signing certificate that is installed on DCPSYSCT01 (172.16.194.7).

Signing certificate name: Azure_P2SRootCert_DEV
Signing certificate thumbprint: 33d2435fc482f5f3823ef2a84f0ac9738825bfd9
Signing certificate expiry date: 24/04/2022 When the above certificate is about to expire, we must configure the systems with a new Signing certificate.

Solution:

These steps will generate a new signing certificate valid for 5 years, which will be configured to be trusted on the Azure DEV VPN gateway.
After renewal, ALL existing client SSL certificates signed by the old signing certificate will need to be created again. Details for this can be found here - http://osticket.qigroup.com/osTicket/scp/faq.php?id=50
Reference: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-classic-azure-portal 

Generate a new self-signed SSL Signing certificate on DCPSYSCT01:
1. Remote desktop into DCPSYSCT01 as a local administrator.
image

2. Launch an elevated Windows Powershell Window.
image

3. Run the following command:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=Azure_P2SRootCert_DEV_YYYY" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\LocalMachine\My" -KeyUsageProperty Sign -KeyUsage CertSign -NotAfter (Get-Date).AddMonths(60)

Where:
YYYY = YEAR

Example:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=Azure_P2SRootCert_DEV_2017" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\LocalMachine\My" -KeyUsageProperty Sign -KeyUsage CertSign -NotAfter (Get-Date).AddMonths(60)

image

4. Run the following command, and note down the certificate thumbprint created for the new signing certificate.

NOTE: this new thumbprint needs to be used when creating all new client SSL certificates. Please update the thumbprint information at the top of this KB, and also here - http://osticket.qigroup.com/osTicket/scp/faq.php?id=50

Get-ChildItem -Path “Cert:\LocalMachine\My”

image

5. Go to the search box, type MMC and hit enter.
image

6. On the User Account Control screen, click Yes to continue.
image

7. Within the MMC console screen, click on File>Add/Remove Snap-in...
image

8. On the Add or Remove Snap-ins screen, click Certificates from the Available snap-ins list, and click Add.
image

9. On the Certificates snap-in screen, choose Computer account, and click Next.
image

10. On the Select Computer screen, ensure Local computer is selected, and click Finish.
image

11. On the Add or Remove Snap-ins screen, click on OK.
image

12. Within the MMC console screen, browse to Certificates>Personal>Certificates.
image

13. In the right-hand paneright-click the new Client SSL certificate created on step 3, and go to All Tasks>Export...
image

14. On the Welcome to the Certificate Export Wizard screen, click Next.
image

15. On the Export Private Key screen, choose No, do export the private key, and click Next.
image

16. On the Export File Format screen, check Base-64 encoded X.509 (.CER), and click Next.
image

17. On the File to Export screen, click Browse...
image

18. In the Save As screen, browse to C:\AZURE_SSL\Signing SSL\, and enter the filename as: 
Azure_P2SRootCert_DEV_PUBLIC__YYYYMMDD_.cer

Where:
YYYYMMDD = today's date as YEARMONTHDAY

Example:
Azure_P2SRootCert_DEV_PUBLIC_20170426.cer

Click Save.
image

19. On the File to Export screen, click Next.
image

20. On the Completing the Certificate Export Wizard screen, verify the information, and click Finish.
image

21. On the Certificate Export Wizard screen, verify that the export was successful, and click on OK.
image

Take a copy of the new CER file created above.

Importing the new Signing certificate public key to Azure DEV VPN gateway
22. Login to http://portal.azure.com with the relevant admin credentials.
image
image

23. On the Dashboard, click on All resources.
image

24. Under All resources, look for NS4S_DEV_VNET, and click on it.
image

25. Under NS4S_DEV_VNET>Overview, click on the Clients icon under VPN connections>Point-to-site.
image

26. Under Point-to-site VPN connection, click on Manage Certificate.
image

27. Under Certificates, click on Upload.
image

28. Under Upload certificate, click on the folder icon.
image

29. Locate the copy of the CER file taken in step 21, and click Open.
image

30. Under Upload certificate, ensure the correct CER file is listed, and then click OK.
image

31. Click on the Notifications icon at the top, and monitor the status of the task.
image
image

32. Under Certificates, verify that the new Signing certificate is listed.

NOTE: You should be able to see the thumbprint as noted in step 4.
image

Additional steps:
Once the above has been finished, please remember to do the following -

  • Update all KBs, documentation and commands to use the new Signing certificate thumbprint
  • All client SSL certificates need to be issued again, using the new Signing certificate.
  • Once all client SSL certificates have been replaced, the old Signing certificate can be removed from the list of certificates listed in step 32.