Managed Services 1.0

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user user-0a21f

Saved on

compared with

New Version 8

changes.mady.by.user user-0a21f

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space KMS and version 1.0

...

  1. Create root certificate and client certificates:
    1. Mac:
      1. Install Open Terminal (under Application→Utilities) and install openssl if it is not already installed.

      2. Execute commands to create root certificate:

        Code Block
        # Generate root private key 
openssl genrsa -aes256 -out RootAzureVPN.key 2048

# Generate a root certificate valid for 10 years
openssl req -x509 -sha256 -new -key RootAzureVPN.key -out RootAzureVPN.cer -days 1825 -subj /CN=RootAzureVPN

      1. Execute commands to create client certificate: 

        Code Block
        # Generate a certificate request
openssl genrsa -out clientCert.key 2048
openssl req -new -out clientCert.req -key clientCert.key -subj /CN=ClientAzureVPN

# Generate a certificate from the certificate request and sign it as the CA that you are.
openssl x509 -req -sha256 -in clientCert.req -out clientCert.cer -CAkey RootAzureVPN.key -CA RootAzureVPN.cer -days 1825 -CAcreateserial -CAserial serial

# Pack key and certificate in a .pfx (pkcs12 format)
openssl pkcs12 -export -out clientCert.pfx -inkey clientCert.key -in clientCert.cer -certfile RootAzureVPN.cer
    2. Windows 10 and Windows Server 2016:
      1. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
        • Note: 2016 theoretically should work but certificate could not be installed in Azure when tested previously
        • The following commands are executed in Powershell in ‘Run as administrator’ mode
        • Replace P2SRootCert and P2SChildCert with something appropriate for the site such as <SiteName>RootCert and <SiteName>ClientCert where <SiteName> is replaced with the actual site name.

      2. Create a self-signed root certificate:

        Code Block
        $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign -KeyUsage CertSign

        IMPORTANT: `in each command line tells Powershell the command continues into next the line

      3. Create a client certificate:

        Code Block
        New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

      4. Check that at least the two generated/registered certificates are listed:

        Code Block
        PS C:\> Get-ChildItem -Path "Cert:\CurrentUser\My"

Thumbprint                                Subject
----------                                -------
F3C3B23CDCBFC90AA606446966E2FAAD49B70AC5  CN=P2SRootCert
44E1451EE36DBCD82A1B752ECC854CBE0271C520  CN=P2SChildCert
      5. Export the root certificate from Certificate Manager (certmgr.msc).  Options:
        • No Private key
        • Base 64 certificate (.cer) file
      6. Export the client certificate.  Options:
        • Include private key
        • Personal Information Exchange - PKCS #12 (.PFX) format
        • Select a secure password and write it down.  It will be needed to install the client certificate in the client later.
  2. Install root certificate in Azure:
    1. Connect to the Azure Portal from the client where the certificates were generated from.
    2. Open the root certificate .cerfile in a TextEdit (Mac) or Notepad (Windows) and copy the parts between the -----BEGIN CERTIFICATE-----and -----END CERTIFICATE-----lines from the generated certificate.

      IMPORTANT:       Be sure the editor you use does not alter the formatting of the content.
    3. Navigate to VNET Gateway’s Point-to-site configuration in the Portal and add it to the root certificate list.
    4. Save the change.
  3. Install client certificate on the client – Windows & Mac: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert
  4. Download VPN config from Azure Portal to client.
    1. Login to Azure Portal from the client
    2. Navigate to the VNET Gateway’s Point-to-site configuration
    3. Click the ‘Download VPN client’ button:
  5. Install VPN config on client:
    1.  Mac:
      1. IKEv2: https://docs.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert
      2. OpenVPN: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients 
    2.  Windows:
      1. OpenVPN:https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients
  6. Optional: Add a host file entry with the primary servers private IP if you want to reference it by name from the client
    1.  Mac:
      1. Launch the Terminal application found in Applications/Utilities
      2. Type: sudo nano /etc/hosts<Enter>
      3. Enter Administrator password when prompted and hit Enter
      4. Add an entry for the primary server – eg: 10.1.234.3 PrinergyPrimaryName
      5. Save the file: Control+O
      6. Exit nano: Control+X

...