Generate and export certificates - Linux (strongSwan)

VPN Gateway point-to-site connections can use certificates to authenticate. This article shows you how to create a self-signed root certificate and generate client certificates using strongSwan. You can also use PowerShell or MakeCert.

Each client must have a client certificate installed locally to connect. Additionally, the root certificate public key information must be uploaded to Azure. For more information, see Point-to-site configuration - certificate authentication.

Install strongSwan

The following steps help you install strongSwan.

The following configuration was used when specifying commands:

  • Computer: Ubuntu Server 18.04
  • Dependencies: strongSwan

Use the following commands to install the required strongSwan configuration:

sudo apt-get update
sudo apt-get upgrade
sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins
sudo apt install libtss2-tcti-tabrmd0

Linux CLI instructions (strongSwan)

The following steps help you generate and export certificates using the Linux CLI (strongSwan). For more information, see Additional instructions to install the Azure CLI.

Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

Print the CA certificate in base64 format. This is the format that is supported by Azure. You upload this certificate to Azure as part of the P2S configuration steps.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

Generate the user certificate.

export PASSWORD="password"
export USERNAME=$(hostnamectl --static)

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

Next steps

Continue with your point-to-site configuration to Create and install VPN client configuration files - Linux.