Install client certificates for P2S certificate authentication connections

When a P2S VPN gateway is configured to require certificate authentication, each client computer must have a client certificate installed locally. This article helps you install a client certificate locally on a client computer. You can also use Intune to install certain VPN client profiles and certificates.

If you want to generate a client certificate from a self-signed root certificate, see one of the following articles:


  1. Once the client certificate is exported, locate and copy the .pfx file to the client computer.
  2. On the client computer, double-click the .pfx file to install. Leave the Store Location as Current User, and then select Next.
  3. On the File to import page, don't make any changes. Select Next.
  4. On the Private key protection page, input the password for the certificate, or verify that the security principal is correct, then select Next.
  5. On the Certificate Store page, leave the default location, and then select Next.
  6. Select Finish. On the Security Warning for the certificate installation, select Yes. You can comfortably select 'Yes' for this security warning because you generated the certificate.
  7. The certificate is now successfully imported.



macOS VPN clients are supported for the Resource Manager deployment model only. They are not supported for the classic deployment model.

  1. Locate the .pfx certificate file and copy it to your Mac. You can get the certificate to the Mac in several ways. For example, you can email the certificate file.
  2. Double-click the certificate. You will either be asked to input the password and the certificate will automatically install, or the Add Certificates box will appear. On the Add Certificates box, click Add to begin the install.
  3. Select login from the dropdown.
  4. Enter the password that you created when the client certificate was exported. The password protects the private key of the certificate. Click OK.
  5. Click Add to add the certificate.
  6. To view the added certificate, open the Keychain Access application and navigate to the Certificates tab.


The Linux client certificate is installed on the client as part of the client configuration. See Client configuration - Linux for instructions.

Next steps

Continue with the Point-to-Site configuration steps to Create and install VPN client configuration files for Windows, macOS, or Linux).