Generate and export certificates - Linux (strongSwan)

VPN Gateway point-to-site connections can use certificates to authenticate. This article shows you how to create a self-signed root certificate and generate client certificates using strongSwan. You can also use PowerShell or MakeCert.

Each client must have a client certificate installed locally to connect. Additionally, the root certificate public key information must be uploaded to Azure. For more information, see Point-to-site configuration - certificate authentication.

Install strongSwan

The following steps help you install strongSwan.

The following configuration was used for the steps below:

  • Computer: Ubuntu Server 18.04
  • Dependencies: strongSwan

Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

Use the following command to install the Azure command-line interface:

curl -sL | sudo bash

For more information, see Additional instructions to install the Azure CLI.

Linux CLI instructions (strongSwan)

The following steps help you generate and export certificates using the Linux CLI (strongSwan).

Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

Next steps

Continue with your point-to-site configuration to Create and install VPN client configuration files - Linux.