Share via

Cannot authenticate to Azure VPN from Windows 11 using the registered self-signed certificate

Tamás Rózsa 65 Reputation points
2025-03-29T10:36:02.3466667+00:00

We have a Virtual network gateway resource called "VisibleFarm-VPN". As our previous certificate has expired, I wanted to refresh the certificates, but I cannot connect from my PC to this VPN.

Done:

  • I have deleted the old expired certificates from out VPN Gateway.
  • I have generated a new self-signed server certificate in our KeyVault resource, called Save-VisibleFarm with name of VFDevRootCert (CN=visible.farm)
  • I have downloaded and installed the RootCert onto my local PC, using Poweshell to Cert:\CurrentUser\My.
  • I have created and installed a self-signed Client cert from the installed Root Cert, name is VF_Dev_TRozsaCert. I have followed the step-by-step guide of https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#clientcert
  • I have exported the Client-Cert and set the CER's content into the VPN-Gateway 's Root-Certificate list.

If I am trying to connect to the VPN using the inbuild Windows 11 VPN Client, I receive the error message: "The remote access connection is completed, but authentication failed because the certificate that authenticates the cline to server is not valid. Ensure that the certificate used for authentication is valid.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,786 questions
Accepted answer
  1. Marcin Policht 49,640 Reputation points MVP Volunteer Moderator
    2025-04-03T11:59:45.0866667+00:00

    Glad to see that my earlier suggestion to use the Azure Key Vault-generated certificate as the Root Certificate for your Point-to-Site VPN helped. Note that the reason this does not work, even when you set all the key usage flags, is due to how Azure Key Vault certificates are structured and managed.

    For one, Azure Key Vault generates certificates as end-entity certificates by default. Even if you configure key usage correctly, certificates generated via Azure Key Vault’s built-in certificate creation often lack the explicit Certificate Authority (CA) bit, which is required for a root certificate. Windows requires a Root CA to have the correct extensions (Basic Constraints: CA=True) for it to sign client certificates.

    In addition, Key Vault does not directly issue CA-signed certificates. It is primarily designed for managing certificates issued by public or private Certificate Authorities (CAs), rather than acting as a CA itself. Even if you enable keyCertSign, it may not fully meet the P2S VPN requirements.

    To work around this, you can try either of the following two options

    Option 1: Manually create and import a CA-Signed root certificate into Key Vault

    Instead of generating the root certificate within Key Vault, you can:

    1. Manually create a self-signed root certificate on a local machine using PowerShell or OpenSSL.
    2. Ensure the certificate has the CA=True extension (Basic Constraints: Subject Type = CA).
    3. Upload the manually created root certificate into Key Vault for storage and management.
    4. Use this root certificate to generate client certificates (which you can also store in Key Vault).

    Steps to Manually Generate a Valid CA Root Cert

    # Generate a self-signed root CA certificate
$rootCert = New-SelfSignedCertificate -Type Custom `
    -KeyUsageProperty Sign -KeyUsage CertSign `
    -Subject "CN=VisibleFarm Root CA" `
    -KeyExportPolicy Exportable `
    -HashAlgorithm SHA256 `
    -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -NotAfter (Get-Date).AddYears(5)

# Export the certificate to a file (without private key for VPN Gateway)
Export-Certificate -Cert $rootCert -FilePath "C:\Temp\VFDevRootCert.cer"

# Export as PFX for Key Vault (including private key for internal usage)
Export-PfxCertificate -Cert $rootCert -FilePath "C:\Temp\VFDevRootCert.pfx" -Password (ConvertTo-SecureString -String "YourStrongPassword" -Force -AsPlainText)
    • Upload VFDevRootCert.cer to the VPN Gateway (as the Root Certificate).
    • Upload VFDevRootCert.pfx to Key Vault to manage its lifecycle and allow developers to generate client certificates from it.

    Option 2: Use an external CA (recommended for enterprise scenarios)

    • Instead of using Azure Key Vault to generate a Root Certificate, you can use a trusted internal PKI (Active Directory Certificate Services, Let's Encrypt, or a commercial CA like DigiCert).
    • Upload the trusted CA certificate into Azure Key Vault and reference it for issuing client certificates.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator
    2025-04-03T09:52:57.07+00:00

    Hello @Tamás Rózsa

    Good catch!

    Glad the issue is resolved for you finally. I will have this answer promoted by reposting it. As an Original Poster(You) will not be able to accept your own answer. This is in the attempt to help others looking for a solution for a similar issue. Thanks again for sharing the solution here. Have a good day!

    Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution.

    Issue: Cannot authenticate to Azure VPN from Windows 11 using the registered self-signed certificate

    Resolution: We have found the problem

    The root cert upload to the VPN config was basically right, but the two options:

    • if we generate a root cert on my local computer, upload to the VPN root cert list, install it on my local computer, use it to generate a client cert, the connection is working
    • if we generate a root cert on our Azure Kevault cert, upload it to the VPN root cert list and download and install it as pfx (include private keys) onto my local computer, use it to generate a client cert, the connection is NOT working.

    So the problem is that I cannot use an Azure generated cert as root cert, even if I set all the usage flag under the policy configuration of the cert. Do you have any idee why is it so? I would find it better if we could use an Azure handled cert as root cert to be able to control the expiry and be able to download by any of our developers if they would like to create an own client cert. Is it possible with some specific flags during the cert generating?

    Please click "Accept" the answer as original posters help the community find answers faster by identifying the correct answer.

    Accepted answer

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.