Install client certificates for P2S certificate authentication connections

When a P2S VPN gateway is configured to require certificate authentication, each client computer must have a client certificate installed locally. This article helps you install a client certificate locally on a client computer. You can also use Intune to install certain VPN client profiles and certificates.

For information about generating certificates, see the Generate certificates section of the Point-to-site configuration article.

Windows

  1. Once the client certificate is exported, locate and copy the .pfx file to the client computer.
  2. On the client computer, double-click the .pfx file to install. Leave the Store Location as Current User, and then select Next.
  3. On the File to import page, don't make any changes. Select Next.
  4. On the Private key protection page, input the password for the certificate, or verify that the security principal is correct, then select Next.
  5. On the Certificate Store page, leave the default location, and then select Next.
  6. Select Finish. On the Security Warning for the certificate installation, select Yes. You can comfortably select 'Yes' for this security warning because you generated the certificate.
  7. The certificate is now successfully imported.

macOS

  1. Locate the .pfx certificate file and copy it to your Mac. You can get the certificate to the Mac in several ways. For example, you can email the certificate file.
  2. Double-click the certificate. You'll either be asked to input the password and the certificate will automatically install, or the Add Certificates box will appear. On the Add Certificates box, click Add to begin the install.
  3. Select login from the dropdown.
  4. Enter the password that you created when the client certificate was exported. The password protects the private key of the certificate. Click OK.
  5. Click Add to add the certificate.
  6. To view the added certificate, open the Keychain Access application and navigate to the Certificates tab.

Linux

The Linux client certificate is installed on the client as part of the client configuration. There are a few different methods to install certificates. You can use strongSwan steps, or OpenVPN client.

Configure VPN clients

To continue configuration, go back to the client that you were working on. You can use this table to easily locate the link:

Authentication Tunnel type Client OS VPN client
Certificate
IKEv2, SSTP Windows Native VPN client
IKEv2 macOS Native VPN client
IKEv2 Linux strongSwan
OpenVPN Windows Azure VPN client
OpenVPN client version 2.x
OpenVPN client version 3.x
OpenVPN macOS OpenVPN client
OpenVPN iOS OpenVPN client
OpenVPN Linux Azure VPN Client
OpenVPN client
Microsoft Entra ID
OpenVPN Windows Azure VPN client
OpenVPN macOS Azure VPN Client
OpenVPN Linux Azure VPN Client

Next steps

Continue with the Point-to-Site configuration steps to Create and install VPN client configuration files. Use the links in the VPN client table.