Generate and export certificates

Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root certificate and generate client certificates using the Linux CLI and strongSwan. If you are looking for different certificate instructions, see the Powershell or MakeCert articles. For information about how to install strongSwan using the GUI instead of CLI, see the steps in the Client configuration article.

Install strongSwan

The following configuration was used for the steps below:

Computer Ubuntu Server 18.04
Dependencies strongSwan

Use the following commands to install the required strongSwan configuration:

sudo apt install strongswan
sudo apt install strongswan-pki
sudo apt install libstrongswan-extra-plugins

Use the following command to install the Azure command-line interface:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Additional instructions on how to install the Azure CLI

Generate and export certificates

Generate the CA certificate.

ipsec pki --gen --outform pem > caKey.pem
ipsec pki --self --in caKey.pem --dn "CN=VPN CA" --ca --outform pem > caCert.pem

Print the CA certificate in base64 format. This is the format that is supported by Azure. You will later upload this to Azure as part of your P2S configuration.

openssl x509 -in caCert.pem -outform der | base64 -w0 ; echo

Generate the user certificate.

export PASSWORD="password"
export USERNAME="client"

ipsec pki --gen --outform pem > "${USERNAME}Key.pem"
ipsec pki --pub --in "${USERNAME}Key.pem" | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "CN=${USERNAME}" --san "${USERNAME}" --flag clientAuth --outform pem > "${USERNAME}Cert.pem"

Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when working with the client configuration files.

openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out "${USERNAME}.p12" -password "pass:${PASSWORD}"

Next steps

Continue with your Point-to-Site configuration to Create and install VPN client configuration files.