How to renew Client SSL certificates for Point to Site VPN with Azure (DEV).md

#azure

Background
In order to connect to the Azure DEV environment, we utilize the Point to Site VPN connection option provided by Microsoft.

This solution only requires that the user has the VPN installation package, and the corresponding Client SSL certificate. At the time of writing, the Azure Point to Site VPN configuration only accepts 1 form of authentication - a Client SSL certificate signed by a signing SSL certificate specified by us.

The DEV environment within our Azure subscription has been configured with the relevant configurations to accept the Client SSL certificates signed by the signing certificate that is installed on DCPSYSCT01 (172.16.194.7).

Signing certificate name: Azure_P2SRootCert_DEV
Signing certificate thumbprint: 33d2435fc482f5f3823ef2a84f0ac9738825bfd9
Signing certificate expiry date: 24/04/2022

All client SSL certificates for connecting to our Azure DEV environment need to be signed by this certificate.

Solution
To create a new Client SSL certificate, you must follow the below steps.

Reference - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#clientcert

IMPORTANT: Please ensure the relevant approvals have been obtained by the various parties, before proceeding.

1. Remote desktop into DCPSYSCT01 as a local administrator.
image

2. Launch an elevated Windows PowerShell ISE.

3. Click File>Open and browse to C:\Scripts and open GENERATE_AZURE_SSL.ps1.

4. Edit the following fields to be relevant for your case

Where:
CompanyName = The name of the company the requestor belongs to (e.g. QI)
Firstname = the requestor's given name
Lastname = the requestor's family name
*NUMBER__OFMONTHS* = the number of months the client certificate should be valid for (standard should be 12)

5. Save the script and run.

Manual Steps if script does not work:

a. Launch an elevated Windows Powershell Window.

image

b. Run the following command
Get-ChildItem -Path “Cert:\LocalMachine\My”

c. Verify that the signing certificate with the correct thumbprint is listed in the returned list of certificates
image