  1. Create root certificate and client certificates:
    1. Mac:
      1. Install openssl if it is not already installed.
      2. Execute commands to create root certificate:

        Code Block
        # Generate root private key 
        openssl genrsa -aes256 -out RootAzureVPN.key 2048
        # Generate a root certificate valid for 10 years
        openssl req -x509 -sha256 -new -key RootAzureVPN.key -out RootAzureVPN.cer -days 36501825 -subj /CN=RootAzureVPN
      1. Execute commands to create client certificate: 

        Code Block
        # Generate a certificate request
        openssl genrsa -out clientCert.key 2048
        openssl req -new -out clientCert.req -key clientCert.key -subj /CN=ClientAzureVPN
        # Generate a certificate from the certificate request and sign it as the CA that you are.
        openssl x509 -req -sha256 -in clientCert.req -out clientCert.cer -CAkey RootAzureVPN.key -CA RootAzureVPN.cer -days 18001825 -CAcreateserial -CAserial serial
        # Pack key and certificate in a .pfx (pkcs12 format)
        openssl pkcs12 -export -out clientCert.pfx -inkey clientCert.key -in clientCert.cer -certfile RootAzureVPN.cer
    1. Windows 10 and Windows Server 2016:
        • Note: 2016 theoretically should work but certificate could not be installed in Azure when tested previously
        • The following commands are executed in Powershell in ‘Run as administrator’ mode
        • Replace P2SRootCert and P2SChildCert with something appropriate for the site such as <SiteName>RootCert and <SiteName>ClientCert where <SiteName> is replaced with the actual site name.
      2. Create a self-signed root certificate:

        Code Block
        $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
        -Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
        -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" `
        -KeyUsageProperty Sign -KeyUsage CertSign

        IMPORTANT: `in each command line tells Powershell the command continues into next the line

      3. Create a client certificate:

        Code Block
        New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
        -Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
        -HashAlgorithm sha256 -KeyLength 2048 `
        -CertStoreLocation "Cert:\CurrentUser\My" `
        -Signer $cert -TextExtension @("{text}")
      4. Check that at least the two generated/registered certificates are listed:

        Code Block
        PS C:\> Get-ChildItem -Path "Cert:\CurrentUser\My"
        Thumbprint                                Subject
        ----------                                -------
        F3C3B23CDCBFC90AA606446966E2FAAD49B70AC5  CN=P2SRootCert
        44E1451EE36DBCD82A1B752ECC854CBE0271C520  CN=P2SChildCert
      5. Export the root certificate from Certificate Manager (certmgr.msc).  Options:
        • No Private key
        • Base 64 certificate (.cer) file
      6. Export the client certificate.  Options:
        • Include private key
        • Personal Information Exchange - PKCS #12 (.PFX) format
        • Select a secure password and write it down.  It will be needed to install the client certificate in the client later.
  2. Install root certificate in Azure:
    1. Connect to the Azure Portal from the client where the certificates were generated from.
    2. Open the root certificate .cerfile in a TextEdit (Mac) or Notepad (Windows) and copy the parts between the -----BEGIN CERTIFICATE-----and -----END CERTIFICATE-----lines from the generated certificate.

      Be sure the editor you use does not alter the formatting of the content.
    3. Navigate to VNET Gateway’s Point-to-site configuration in the Portal and add it to the root certificate list.
    4. Save the change.
  3. Install client certificate on the client – Windows & Mac:
  4. Download VPN config from Azure Portal to client.
    1. Login to Azure Portal from the client
    2. Navigate to the VNET Gateway’s Point-to-site configuration
    3. Click the ‘Download VPN client’ button:
  5. Install VPN config on client:
    1.  Mac:
      1. IKEv2:
      2. OpenVPN: 
    2.  Windows:
      1. OpenVPN:
  6. Optional: Add a host file entry with the primary servers private IP if you want to reference it by name from the client
    1.  Mac:
      1. Launch the Terminal application found in Applications/Utilities
      2. Type: sudo nano /etc/hosts<Enter>
      3. Enter Administrator password when prompted and hit Enter
      4. Add an entry for the primary server – eg: PrinergyPrimaryName
      5. Save the file: Control+O
      6. Exit nano: Control+X
