Oiliúint
Deimhniú
Microsoft Certified: Azure Security Engineer Associate - Certifications
Demonstrate the skills needed to implement security controls, maintain an organization’s security posture, and identify and remediate security vulnerabilities.
Generate and export certificates - Linux - OpenSSL
This article helps you create a self-signed root certificate and generate client certificate .pem files using OpenSSL. If you need .pfx and .cer files instead, see the Windows- PowerShell instructions.
To use this article, you must have a computer running OpenSSL.
This section helps you generate a self-signed root certificate. After you generate the certificate, you export root certificate public key data file.
The following example helps you generate the self-signed root certificate.
CLIopenssl genrsa -out caKey.pem 2048 openssl req -x509 -new -nodes -key caKey.pem -subj "/CN=VPN CA" -days 3650 -out caCert.pemPrint the self-signed root certificate public data in base64 format. This is the format that's supported by Azure. Upload this certificate to Azure as part of your P2S configuration steps.
CLIopenssl x509 -in caCert.pem -outform der | base64 -w0 && echo
Nóta
Microsoft recommends that you use the most secure authentication flow available. The authentication flow described in this procedure requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows, such as managed identities, aren't viable.
In this section, you generate the user certificate (client certificate). Certificate files are generated in the local directory in which you run the commands. You can use the same client certificate on each client computer, or generate certificates that are specific to each client. It's crucial that the client certificate is signed by the root certificate.
To generate a client certificate, use the following examples.
CLIexport PASSWORD="password" export USERNAME=$(hostnamectl --static) # Generate a private key openssl genrsa -out "${USERNAME}Key.pem" 2048 # Generate a CSR (Certificate Sign Request) openssl req -new -key "${USERNAME}Key.pem" -out "${USERNAME}Req.pem" -subj "/CN=${USERNAME}" # Sign the CSR using the CA certificate and CA key openssl x509 -req -days 365 -in "${USERNAME}Req.pem" -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out "${USERNAME}Cert.pem" -extfile <(echo -e "subjectAltName=DNS:${USERNAME}\nextendedKeyUsage=clientAuth")To verify the client certificate, use the following example.
CLIopenssl verify -CAfile caCert.pem caCert.pem "${USERNAME}Cert.pem"
- To continue VPN Gateway configuration steps, see Point-to-site certificate authentication.
- To continue Virtual WAN configuration steps, see Create a P2S User VPN connection.
Acmhainní breise
Doiciméadúchán
-
Generate and export certificates for P2S: PowerShell - Azure VPN Gateway
Learn how to create a self-signed root certificate, export a public key, and generate client certificates for VPN Gateway point-to-site connections.
-
Install a Point-to-Site client certificate - Azure VPN Gateway
Learn how to install client certificates for P2S certificate authentication - Windows, Mac, Linux.
-
Configure P2S VPN clients: certificate authentication: Azure VPN client: Windows - Azure VPN Gateway
Learn how to configure VPN clients for P2S configurations that use certificate authentication. This article applies to Windows and the Azure VPN client.