Updating root certificates for a P2S VPN gateway

Question

Updating root certificates for a P2S VPN gateway

Eric Maussion 26

I have an issue with expired root certificates in my VPN gateway.

The new certificate is applied (in the console/CLI) but the gateway just does not use it and reports a certificate error when connecting with an OpenVPN client using the new root CA (seems like it still expects the old certificate). Downloading the "client" template from the Azure portal shows it still uses the old certificate. I've tried resetting the gateway with no luck.

How do I force the gateway to use the new root certificate?

For reference, this (waiting) did not work for me, the certificates have been updated 5 days ago:
https://learn.microsoft.com/en-us/answers/questions/2247170/azure-virtual-network-gateway-stubbornly-keeps-cac

Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-05T16:33:57.5333333+00:00

Hello Eric Maussion

Can you please delete the Point to Site configuration and re-configure it.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Eric Maussion 26 Reputation points

2025-05-05T17:21:34.82+00:00

Absolutely not, people use this all day to work at our company (using the AAD method).
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-05-06T16:37:10.62+00:00

Thanks for your reply

Could you please share the cmd result below? Check to see if it shows the old or new certificate.

Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG1" -VirtualNetworkGatewayName "VNet1GW"

Also, confirm that you have deleted the old VPN profile from the VPN client and downloaded and added the new profile to the VPN client.
Vinay B 500 Reputation points Microsoft External Staff Moderator

2025-05-08T14:12:58.0533333+00:00

Hi Eric Maussion,

We haven’t heard from you on the last response, and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details as Venkat V requested for, and we will try to help.

1 answer

Your answer

Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-05T16:33:57.5333333+00:00

Hello Eric Maussion

Can you please delete the Point to Site configuration and re-configure it.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Eric Maussion 26 Reputation points

2025-05-05T17:21:34.82+00:00

Absolutely not, people use this all day to work at our company (using the AAD method).
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-05-06T16:37:10.62+00:00

Thanks for your reply

Could you please share the cmd result below? Check to see if it shows the old or new certificate.

Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG1" -VirtualNetworkGatewayName "VNet1GW"

Also, confirm that you have deleted the old VPN profile from the VPN client and downloaded and added the new profile to the VPN client.
Vinay B 500 Reputation points Microsoft External Staff Moderator

2025-05-08T14:12:58.0533333+00:00

Hi Eric Maussion,

We haven’t heard from you on the last response, and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details as Venkat V requested for, and we will try to help.

Answer 1

Sindhuja Dasari 1,520 Microsoft External Staff Moderator

Hello Eric Maussion

I understand that you're running into issues with your VPN gateway, even though the new certificate is uploaded via CLI or portal, the gateway often continues to use the old root certificate internally for client validation (as reflected in the downloaded VPN configuration/profile). Here’s how you can address this:

Remove the old root certificate completely from the P2S configuration:

If the new root certificate is verified to be present but the old one is still causing connection attempts, consider removing the old root certificate from the Point-to-Site configuration.

Go to the Azure Portal.
Navigate to your Virtual Network Gateway.
Under Point-to-site configuration, remove all existing root certificates.
Save the configuration.

Or you can remove an old root certificate via PowerShell using:

Remove-AzVpnClientRootCertificate -VpnClientRootCertificateName "<OldRootCertName>" -VirtualNetworkGatewayName "<YourGatewayName>" -ResourceGroupName "<YourResourceGroupName>"

Wait for 15 minutes after removing the root certs — this ensures the gateway flushes internal cache and state.

Add the new root certificate:

Now add your new root certificate (Base64-encoded .cer).
Make sure the certificate name is unique (i.e., different from the old one, to prevent weird conflicts).
Save the configuration again.

Regenerate and download the VPN profile:

Go back to Point-to-site configuration.
Click Download VPN Client again (choose OpenVPN if applicable).
This profile should now include the new root certificate in the configuration.

Distribute the new profile to clients:

Replace old profiles on client machines with this updated one.
Ensure the client machine trusts the new root certificate (installed in the Local Machine/Trusted Root CA store, if necessary).

Restart the Gateway (again):

While you've mentioned resetting the gateway didn’t help, it can sometimes take a little while for changes to propagate. You might want to attempt the reset again after making sure all settings are correctly configured.

Run the following Azure CLI command to restart the gateway forcefully:

az network vnet-gateway reset --name <GatewayName> --resource-group <ResourceGroupName>

Once restarted, download the VPN profile (ensure new certificate is included) and distribute the new profile to clients.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Eric Maussion 26 Reputation points

2025-05-05T15:51:29.2866667+00:00

The old certificate was already removed, you cannot save a VPN gateway with an expired root CA.
Also I've checked the consistency between the az cli and the console (they both return the new root certificate in their information) but under the hood it's not used.
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-05-06T12:18:08.35+00:00
Hi @Eric Maussion

You can follow the troubleshooting steps below to resolve the issue.

Upload the new certificate and make a dummy setting change. For example, toggle the Tunnel Type from 'IKEv2 + OpenVPN' to 'IKEv2 only', click Save, wait, then switch it back and save again. This forces Azure to regenerate the VPN profile and push the new configuration.

One update the new certificate verify that the certificate file uploaded using the cmdlet below.

Get-AzVpnClientRootCertificate -ResourceGroupName "TestRG1" -VirtualNetworkGatewayName "VNet1GW"

After updating the settings, delete the existing VPN profile from the VPN client and remove the old VPN file from the local machine. Then download the new VPN file from the Azure portal, attach the new profile to the VPN client, and check the connection status.

Reference: https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-certificate-gateway

If the above is unclear and/or you are unsure about something, add a comment below.
Eric Maussion 26 Reputation points

2025-05-06T15:24:34.8366667+00:00

OpenVPN.log

Changing the tunnel type to anything else than "OpenVPN or IKEv2" and "OpenVPN" is not possible because I also use AAD as authentication (this is the main auth type for 90% of our users) and AAD requires OpenVPN.
That being said, I already tried this ("dummy" change then save, then reset, then re-add the root certificate then save then reset). The CLI/console update accordingly but the template VPN client remains the same and clients cannot connect with their "new" client certificate.
As a side note, my client certificate is correctly verified by the root certificate when I run openssl verify locally but I get a CERT_VERIFY_FAILED. Attached is my openvpn log (verbosity 8 with sensitive data removed) for reference.
KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator

2025-05-09T13:33:29.1933333+00:00
@Eric Maussion ,

Greetings.

From the discussion you had with , I take it that

You have completely removed the old certificate from the VPN Gateway

And you see that the VPN Client configuration file created by the VPN Gateway is similar to the old one (where the VPN Gateway was using the older certificate)

Analysis,

From "Get-AzVpnClientRootCertificate" , are you getting the old certificate or new one?

Additionally, you can verify this using the "Export Template" property of the VPN Gateway Portal blade

Should you see the newer certificate, this simply means that the certificate was updated in the VPN gateway.

How are you verifying that the "old certificate" is still in use?

Are the clients able to connect to the VPN gateway using the old client certificate(s)?

Or are you checking the "P2S CA root certificate" value from the VPN Client package and observe that there is no change?

Additionally, see : Configure OpenVPN Connect 3.x client

The OpenVPN client is independently managed and not under Microsoft's control. This means Microsoft doesn't oversee its code, builds, roadmap, or legal aspects. Should customers encounter any bugs or issues with the OpenVPN client, they should directly contact OpenVPN Inc. support. The guidelines in this article are provided 'as is' and haven't been validated by OpenVPN Inc. They're intended to assist customers who are already familiar with the client and wish to use it to connect to the Azure VPN Gateway in a Point-to-Site VPN setup.

The steps mentioned in this document suggest you should manually add the

Client Certificate

Root Certificate

Private Key

I did a Lab (with OpenVPN) and I was able to get this connected without any issue

I did use the new certificate only (while the old certificate was still within the VPN gateway)

Note that this should not be an issue as the Private key, Root and Client certificates I used in the OpenVPN Configuration files are from newer certificate

Finally, the best way to validate this is by using the Azure VPN Client

You can use a dummy remote server and install the new Root and Client certificates.

Your P2S Config file will contain the Azure VPN Client configuration file too

If you use this and the new Client certificate, that simply means the new certificate is working and there could be configuration issue from OpenVPN side.

Hope this helps

Cheers,

Kapil

Share via

Updating root certificates for a P2S VPN gateway

1 answer

Your answer