Could not find a certificate that can be used for the Extensible Authentication Protocol

Question

Could not find a certificate that can be used for the Extensible Authentication Protocol

Dominic Nancy 6

Hello everyone, I configured certificate verification in Azure, and then imported the certificate into the computer account and personal account, but when I use the VPN link, it seems that I can't find a certificate that can be used for an extensible authentication protocol.

Dominic Nancy 6 Reputation points

2021-10-10T08:27:57.84+00:00

I have followed the official documentation, but I still can’t connect. I have tried self-signed certificates and certificates issued by institutions, but I can’t link https://learn.microsoft.com/en-us/azure/vpn-gateway/ vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems

1 answer

Your answer

Dominic Nancy 6 Reputation points

2021-10-10T08:27:57.84+00:00

I have followed the official documentation, but I still can’t connect. I have tried self-signed certificates and certificates issued by institutions, but I can’t link https://learn.microsoft.com/en-us/azure/vpn-gateway/ vpn-gateway-troubleshoot-vpn-point-to-site-connection-problems

Answer 1

GitaraniSharma-MSFT 50,171 Microsoft Employee Moderator

Hello @Dominic Nancy ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

If you have already followed this troubleshooting doc and it is still not working, you may have to create a new certificate and it should work.
Before you go ahead and create a new certificate, make sure to delete the existing network connections on your client machine by browsing to:
C:\Users<UserName>\AppData\Roaming\Microsoft\Network\Connections\Cm<GUID>
Delete the existing GUID folders.

Then follow the below docs to generate & install a new certificate to your client machine, add the root certificate data to your Azure VPN gateway and then download the fresh VPN client from Azure portal (VPN gateway) & install it:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-azure-cert

Note: When you import the client certificate, do not select the Enable strong private key protection option.

If you still face the same issue, we may need to investigate further offline.

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Dominic Nancy 6 Reputation points

2021-10-11T12:01:44.573+00:00

I found that it was caused by a problem with the created certificate. My steps to create a certificate are as follows:
1.Open the key vault, create a new certificate, customize the certificate name and subject
2.Download certificates in cer format and pfx format
3.Copy the contents of the open cer certificate into the public certificate data of the virtual network gateway
4.Import the cer file into Local Computer\Trusted Root Certification Authorities
5.Import the pfx file into Current User\Personal\Certificates
6.Download the client in the virtual network gateway to connect
Say whether my above method is correct, and there is something missing, because I tested that it is indeed related to the certificate, not the setting
GitaraniSharma-MSFT 50,171 Reputation points Microsoft Employee Moderator

2021-10-12T11:02:40.48+00:00

Hello @Dominic Nancy ,

You cannot use certificates from Azure Key Vault for Point to site VPN. It is not supported.
You can only use your Enterprise PKI solution (your internal PKI), Azure PowerShell, MakeCert, and OpenSSL to create certificates.

Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-use-certificates-from-azure-key-vault

Kindly let us know if the above helps or you need further assistance on this issue.

----------------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Dominic Nancy 6 Reputation points

2021-10-14T06:22:25.44+00:00

Hello, I generated a self-signed certificate through New-SelfSignedCertificate

But it still doesn't seem to work
GitaraniSharma-MSFT 50,171 Reputation points Microsoft Employee Moderator

2021-10-14T09:27:09.44+00:00

Hello @Dominic Nancy ,

Thank you for the update.

Could you confirm that you did not select the "Enable strong private key protection" option, while importing the client certificate? Also, did you delete the old VPN client from the device and re-download & re-install a new VPN client from the Azure portal after the new root certificate upload to the VPN gateway?

Regards,
Gita
Dominic Nancy 6 Reputation points

2021-10-15T01:54:12.643+00:00

Can you help me generate a certificate, and then tell me where to put it on the computer. Can I test it? I want to see if there is a problem with the certificate I generated
Dominic Nancy 6 Reputation points

2021-10-15T08:21:14.133+00:00

Yes, I did not select "Enable strong private key protection", I also deleted the old client and re-downloaded the new client, and also filled in the new cer certificate in the Azure gateway
GitaraniSharma-MSFT 50,171 Reputation points Microsoft Employee Moderator

2021-10-19T12:49:42.877+00:00

Hello @Dominic Nancy ,

Sure, we can work offline to investigate further. Request you to send an email as advised in the private message.

Regards,
Gita

Share via

Could not find a certificate that can be used for the Extensible Authentication Protocol

1 answer

Your answer