Updating root certificates for a P2S VPN gateway

Eric Maussion 26 Reputation points
2025-05-05T08:19:19.5133333+00:00

I have an issue with expired root certificates in my VPN gateway.

The new certificate is applied (in the console/CLI) but the gateway just does not use it and reports a certificate error when connecting with an OpenVPN client using the new root CA (seems like it still expects the old certificate). Downloading the "client" template from the Azure portal shows it still uses the old certificate. I've tried resetting the gateway with no luck.

How do I force the gateway to use the new root certificate?

For reference, this (waiting) did not work for me, the certificates have been updated 5 days ago:
https://learn.microsoft.com/en-us/answers/questions/2247170/azure-virtual-network-gateway-stubbornly-keeps-cac

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,795 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator
    2025-05-05T09:57:32.5166667+00:00

    Hello Eric Maussion

    I understand that you're running into issues with your VPN gateway, even though the new certificate is uploaded via CLI or portal, the gateway often continues to use the old root certificate internally for client validation (as reflected in the downloaded VPN configuration/profile). Here’s how you can address this:

    Remove the old root certificate completely from the P2S configuration:

    If the new root certificate is verified to be present but the old one is still causing connection attempts, consider removing the old root certificate from the Point-to-Site configuration.

    • Go to the Azure Portal.
    • Navigate to your Virtual Network Gateway.
    • Under Point-to-site configuration, remove all existing root certificates.
    • Save the configuration.

    Or you can remove an old root certificate via PowerShell using:

    Remove-AzVpnClientRootCertificate -VpnClientRootCertificateName "<OldRootCertName>" -VirtualNetworkGatewayName "<YourGatewayName>" -ResourceGroupName "<YourResourceGroupName>"
    

    Wait for 15 minutes after removing the root certs — this ensures the gateway flushes internal cache and state.

    Add the new root certificate:

    • Now add your new root certificate (Base64-encoded .cer).
    • Make sure the certificate name is unique (i.e., different from the old one, to prevent weird conflicts).
    • Save the configuration again.

    Regenerate and download the VPN profile:

    • Go back to Point-to-site configuration.
    • Click Download VPN Client again (choose OpenVPN if applicable).
    • This profile should now include the new root certificate in the configuration.

    Distribute the new profile to clients:

    • Replace old profiles on client machines with this updated one.
    • Ensure the client machine trusts the new root certificate (installed in the Local Machine/Trusted Root CA store, if necessary).

    Restart the Gateway (again):

    While you've mentioned resetting the gateway didn’t help, it can sometimes take a little while for changes to propagate. You might want to attempt the reset again after making sure all settings are correctly configured.

    Run the following Azure CLI command to restart the gateway forcefully:

    az network vnet-gateway reset --name <GatewayName> --resource-group <ResourceGroupName>
    
    

    Once restarted, download the VPN profile (ensure new certificate is included) and distribute the new profile to clients.


    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.