How to Configure an Azure Point-to-Site VPN

This blog post is the second in a series of three which will demonstrate how to configure a Point-to-Site VPN step-by-step. In my first blog post, I demonstrated how to configure a virtual network and a dynamic routing gateway. Today’s post will be about creating certificates.

CREATING CERTIFICATES

At this step, we will create and upload a certificate. This certificate will be used to authenticate the VPN clients and are performed in few steps:

Generate the certificate
Upload the root certificate to the Azure Management Portal
Generate a client certificate
Export and install the client certificate

Let’s start …

We will need to use the MakeCert tool. MakeCert is part of “Microsoft Visual Studio Express”.
After successfully downloading the tool, start the setup and follow the installation steps. Note that you can generate this certificate in any computer, not only in the computer where you are configuring the VPN.
After the installation, you can find MakeCert at:
- C:\Program Files (x86)\Windows Kits\8.1\bin\x64
- C:\Program Files (x86)\Windows Kits\8.1\bin\x86
Launch the command prompt as Administrator. Point the path to one of the folders referred in the previous step and execute the following command (note: keep the command line opened):
makecert -sky exchange -r -n “CN=RootCertificateMurilo” -pe -a sha1 -len 2048 -ss My “RootCertificateMurilo.cer”
(where “RootCertificateMurilo” is teh certificate name).
This command will create and install a root certificate in the Personal certificate store and create the define RootCertificateMurilo.cer file in the same directory that you are executing the command.Note: Store this certificate in a safe location.
Now, go to the Windows Azure Management Portal https://manage.windowsazure.com/ in order to upload the certificate.
In the networks section, select the previously created network and go to the certificate page.
Click Upload a root certificate, select your certificate, and click in the check mark.
- Depending on the time zone of the server where you created the certificate, you might receive an error message, “The certificate is not valid yet, effective date is [date and time].” To work around this, delete the created certificate, and create another one adding the following parameter (change the date):-b “07/30/2014″It will be valid form 00:00:00 hours for the day you set.
Now we need to create a Client Certificate. We will use the Root Certificate to do this.
In the same command line window, opened before, execute the following command:makecert.exe -n “CN=ClientCertificateMurilo” -pe -sky exchange -m 96 -ss My -in “RootCertificateMurilo” -is my -a sha1This certificate will be stored in your personal certificate store.
Now we need to export this certificate, as this should be installed on each computer that needs to be connected to the virtual network. To achieve this, enter the command “mmc”, still in the opened command line. The following window will be shown:
- Go to File->Add/Remove Snap-in.
- Select “Certificates” and click on “Add >”.
- Select My user account and click Finish.
- Click OK in the remaining window.
- Now you will be able to see your certificates under the “Personal\Certificates” folder:
To export the certificate, right click the Client certificate and click on “All Tasks->Export…”, as shown:
A wizard will be presented. Choose Yes, export the private key and click.
Leave this as default, and click Next.
Choose a strong password (try to remember this) and click Next.
Now you need to set the path to store you .pfx file.
Click Next, then Finish.
To finalize the “Certificates part”, we will need to install the certificate on all the servers where we want to setup the VPN.To accomplish this, you just need to:
- Copy the exported .pfx file (step 13) to all the servers.
- Double-click the pfx on all the servers.
- Enter the password.
- Proceed with the installation, maintaining the default location.