Hello Eric Maussion
I understand that you're running into issues with your VPN gateway, even though the new certificate is uploaded via CLI or portal, the gateway often continues to use the old root certificate internally for client validation (as reflected in the downloaded VPN configuration/profile). Here’s how you can address this:
Remove the old root certificate completely from the P2S configuration:
If the new root certificate is verified to be present but the old one is still causing connection attempts, consider removing the old root certificate from the Point-to-Site configuration.
- Go to the Azure Portal.
- Navigate to your Virtual Network Gateway.
- Under Point-to-site configuration, remove all existing root certificates.
- Save the configuration.
Or you can remove an old root certificate via PowerShell using:
Remove-AzVpnClientRootCertificate -VpnClientRootCertificateName "<OldRootCertName>" -VirtualNetworkGatewayName "<YourGatewayName>" -ResourceGroupName "<YourResourceGroupName>"
Wait for 15 minutes after removing the root certs — this ensures the gateway flushes internal cache and state.
Add the new root certificate:
- Now add your new root certificate (Base64-encoded .cer).
- Make sure the certificate name is unique (i.e., different from the old one, to prevent weird conflicts).
- Save the configuration again.
Regenerate and download the VPN profile:
- Go back to Point-to-site configuration.
- Click Download VPN Client again (choose OpenVPN if applicable).
- This profile should now include the new root certificate in the configuration.
Distribute the new profile to clients:
- Replace old profiles on client machines with this updated one.
- Ensure the client machine trusts the new root certificate (installed in the Local Machine/Trusted Root CA store, if necessary).
Restart the Gateway (again):
While you've mentioned resetting the gateway didn’t help, it can sometimes take a little while for changes to propagate. You might want to attempt the reset again after making sure all settings are correctly configured.
Run the following Azure CLI command to restart the gateway forcefully:
az network vnet-gateway reset --name <GatewayName> --resource-group <ResourceGroupName>
Once restarted, download the VPN profile (ensure new certificate is included) and distribute the new profile to clients.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.