Install client certificates for P2S certificate authentication connections

All clients that connect to a virtual network using Point-to-Site Azure certificate authentication require a client certificate. This article helps you install a client certificate that is used for authentication when connecting to a VNet using P2S.

Acquire a client certificate

No matter what client operating system you want to connect from, you must always have a client certificate. You can generate a client certificate from either a root certificate that was generated using an Enterprise CA solution, or a self-signed root certificate. See the PowerShell, MakeCert, or Linux instructions for steps to generate a client certificate.


If you want to create a P2S connection from a client computer other than the one you used to generate the client certificates, you need to install a client certificate. When installing a client certificate, you need the password that was created when the client certificate was exported.

  1. Locate and copy the .pfx file to the client computer. On the client computer, double-click the .pfx file to install. Leave the Store Location as Current User, and then click Next.
  2. On the File to import page, don't make any changes. Click Next.
  3. On the Private key protection page, input the password for the certificate, or verify that the security principal is correct, then click Next.
  4. On the Certificate Store page, leave the default location, and then click Next.
  5. Click Finish. On the Security Warning for the certificate installation, click Yes. You can feel comfortable clicking 'Yes' because you generated the certificate. The certificate is now successfully imported.



Mac VPN clients are supported for the Resource Manager deployment model only. They are not supported for the classic deployment model.

When installing a client certificate, you need the password that was created when the client certificate was exported.

  1. Locate the .pfx certificate file and copy it to your Mac. You can get the certificate to the Mac in several ways, for example, you can email the certificate file.

  2. After the certificate copied to the Mac, double-click the certificate to open the Add Certificates box, the click Add to begin the install.

    Add certificates

  3. Enter the password that you created when the client certificate was exported. The password protects the private key of the certificate. Click OK to complete the installation.



The Linux client certificate is installed on the client as part of the client configuration. See Client configuration - Linux for instructions.

Next steps

Continue with the Point-to-Site configuration steps to Create and install VPN client configuration files.